API Keys

About 368 wordsAbout 1 min

API keys authenticate all management API requests. Keys are prefixed hk_ and are stored as SHA-256 hashes — the full key is shown only once at creation.

Create API key

POST /v1/api-keys

Authentication: Bearer

Request body

Field	Type	Required	Description
`name`	string	Yes	Label for this key (e.g. `"CI/CD"`, `"Dashboard"`)

Response `201 Created`

{
  "data": {
    "id": "k1k2k3k4-...",
    "account_id": "a1a2a3a4-...",
    "name": "CI/CD",
    "key_prefix": "hk_c3d4",
    "key": "hk_c3d4e5f6...",
    "created_at": "2024-01-15T12:00:00Z",
    "revoked_at": null
  }
}

key is shown exactly once

Copy the key immediately. It is not stored in plaintext and cannot be retrieved or exported again — not via the API, not from the dashboard.

Errors

Status	Error	Cause
`400`	`name is required`	Missing or empty `name` field
`401`	Unauthorized	Invalid or missing Bearer token

curl example

curl -s -X POST http://localhost:8080/v1/api-keys \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "CI/CD Pipeline"}' | jq .

List API keys

Returns all non-revoked API keys for the account.

GET /v1/api-keys

Authentication: Bearer

Response `200 OK`

{
  "data": [
    {
      "id": "k1k2k3k4-...",
      "account_id": "a1a2a3a4-...",
      "name": "default",
      "key_prefix": "hk_a1b2",
      "created_at": "2024-01-15T10:00:00Z",
      "revoked_at": null
    },
    {
      "id": "k5k6k7k8-...",
      "account_id": "a1a2a3a4-...",
      "name": "CI/CD Pipeline",
      "key_prefix": "hk_c3d4",
      "created_at": "2024-01-15T12:00:00Z",
      "revoked_at": null
    }
  ]
}

Note: The full key value is never returned in list responses — only the short key_prefix for identification purposes. API keys cannot be exported from the list endpoint or through any bulk-export mechanism.

curl example

curl -s http://localhost:8080/v1/api-keys \
  -H "Authorization: Bearer $API_KEY" | jq .

Revoke API key

Permanently revokes a key. Revoked keys return 401 immediately on any request.

DELETE /v1/api-keys/{id}

Authentication: Bearer

Path parameters

Parameter	Type	Description
`id`	UUID	The API key ID to revoke

Response `204 No Content`

Empty body.

Errors

Status	Error	Cause
`400`	`invalid id`	`{id}` is not a valid UUID
`404`	Not Found	Key not found or belongs to a different account

curl example

curl -s -X DELETE http://localhost:8080/v1/api-keys/k5k6k7k8-... \
  -H "Authorization: Bearer $API_KEY"

Cannot revoke your own active key

If you revoke the key you're currently using, all subsequent requests will fail. Create a replacement key first.