Mints a new API key. The full plaintext key is returned in the response EXACTLY ONCE. The caller must capture and store it immediately -- there is no way to retrieve it later.

curl --request POST \
  --url https://{install}/api/admin/api-key \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "name": "<string>",
  "expiresAt": "2023-11-07T05:31:56Z"
}
'

POST

api

admin

api-key

Mints a new API key. The full plaintext key is returned in the response EXACTLY ONCE. The caller must capture and store it immediately -- there is no way to retrieve it later.

curl --request POST \
  --url https://{install}/api/admin/api-key \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "name": "<string>",
  "expiresAt": "2023-11-07T05:31:56Z"
}
'

Authorizations

Authorization

string

header

required

JWT Bearer token. Obtain via the OAuth 2.0 token endpoint.

Body

Name (required) and optional ExpiresAt.

Inbound payload for POST /api/admin/api-key.

name

string

Human-readable name. e.g. "CI deploy bot".

expiresAt

null | string<date-time>

Optional expiry. Null means no expiry.

Response

Key minted. Capture the RawKey field NOW.

Lists all API keys for the current tenant (most recently created first). Hashes are stripped from the returned records; only the display prefix and metadata are visible.

Revokes an API key. Soft-delete -- the row is preserved for audit; the key stops working immediately. Idempotent: revoking an already-revoked key is a no-op.