API keys
Programmatic credentials for third-party integrations
API keys authenticate requests as a specific user. Generated keys are shown once at creation — the server only stores a SHA-256 hash plus the 12-character prefix for display.
Resource overview
GET
/api/api-keysSessionPOST
/api/api-keysSessionGET
/api/api-keys/{id}SessionPATCH
/api/api-keys/{id}SessionDELETE
/api/api-keys/{id}SessionAPI key management requires session authentication (the dashboard). You cannot manage keys with another API key.
List keys
GET
/api/api-keysSession200
{
"data": [
{
"id": "key-uuid",
"name": "Zapier integration",
"keyPrefix": "tke_live_aB",
"status": "active",
"createdAt": "2026-05-01T12:00:00Z",
"lastUsedAt": "2026-05-20T10:14:00Z",
"expiresAt": null
}
]
}Create key
POST
/api/api-keysSession| Name | Type | Required | Description |
|---|---|---|---|
name | string | Required | Human-readable label. |
expiresAt | string (ISO 8601) | Optional | Optional expiry. The key flips to `expired` after this date. |
201The full key is returned once — store it immediately.
{
"id": "key-uuid",
"name": "Zapier integration",
"key": "tke_live_aB3dE5gH7jK9mN1pQ3rS5tU7vW9xY1zA",
"keyPrefix": "tke_live_aB",
"status": "active",
"createdAt": "2026-05-20T10:00:00Z"
}Key format
tke_live_<22-character base64url random>| Segment | Meaning |
|---|---|
tke | Product prefix (configurable via API_KEY_PREFIX). |
live | Environment (API_KEY_ENVIRONMENT). |
| random | 24 bytes of CSPRNG entropy, base64url-encoded. |
Update / revoke / delete
PATCH
/api/api-keys/{id}SessionSet status to revoked to disable the key without deleting the audit trail.
DELETE
/api/api-keys/{id}SessionHard-deletes the key. Prefer revoke unless you need to free the name.
See Authentication for sending the key.