API reference

API keys

Identify the current key, then create, list, retrieve, rename, rotate, and revoke API keys from the public API.

Use GET /v1/account when you need to confirm which dashboard account, project, environment, and API key a bearer token belongs to. The /v1/me path is an alias for agents and clients that look for a whoami-style route.

Current account

GET/v1/account

Requires a valid bearer API key but no additional scope. The response includes one dashboard owner contact for account matching, and never returns plaintext API-key secrets or the full member list.

Response

FieldTypeNotes
objectrequired"account_profile"
organizationrequiredobject
projectrequiredobject
environmentrequiredobject
api_keyrequiredobject
dashboard_ownerrequiredobject | null

Current account alias

GET/v1/me

Alias of GET /v1/account.

Response

FieldTypeNotes
objectrequired"account_profile"
organizationrequiredobject
projectrequiredobject
environmentrequiredobject
api_keyrequiredobject
dashboard_ownerrequiredobject | null
Agents can bootstrap a first key with the unauthenticated device flow below. The approved credential is a Tyxter kind=agent API key, not an OAuth access token for public /v1/* routes. API keys can create child keys only with strict subset scopes, and API-key callers can never grant api_keys:admin. Create and rotate responses return the plaintext secret once.

Agent device authorization

POST/v1/agent-api-key-device-authorizations201 Created

Create a 15-minute device request without an Authorization header. Send the dashboard owner/admin to verification_uri_complete; approval selects the target project and environment.

Request body

FieldTypeNotes
client_namerequiredstring
len 1..80
environmentrequired"sandbox" | "production"
scopesrequiredstring[]
expires_atstring<ISO-8601>
pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z|([+-](?:[01]\d|2[0-3]):[0-5]\d)))$

Response

FieldTypeNotes
objectrequired"agent_api_key_device_authorization"
device_coderequiredstring
len 1..∞
user_coderequiredstring
len 1..∞
verification_urirequiredstring
verification_uri_completerequiredstring
expires_inrequiredinteger
range -∞..9007199254740991
intervalrequiredinteger
range -∞..9007199254740991

Agent device token poll

POST/v1/agent-api-key-device-authorizations/token

Poll without an Authorization header using the returned device_code. HTTP 202 means the request is still pending. HTTP 200 returns the one-time API key and preflight checks. Terminal errors include invalid_device_code, device_code_expired, and authorization_denied.

Request body

FieldTypeNotes
grant_typerequired"urn:ietf:params:oauth:grant-type:device_code"
device_coderequiredstring
len 1..∞

Response

FieldTypeNotes
No fields.

Create

POST/v1/api-keys201 Created

Request body

FieldTypeNotes
namerequiredstring
len 1..∞
environmentrequired"sandbox" | "production"
scopesrequiredstring[]
expires_atstring<ISO-8601>
pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z|([+-](?:[01]\d|2[0-3]):[0-5]\d)))$

Response

FieldTypeNotes
idrequiredstring
objectrequired"api_key"
namerequiredstring
key_prefixrequiredstring
scopesrequiredstring[]
kindrequired"standard" | "agent"
statusrequired"active" | "revoked"
environmentrequired"sandbox" | "production"
last_used_atrequiredstring<ISO-8601> | null
expires_atrequiredstring<ISO-8601> | null
created_atrequiredstring<ISO-8601>
pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z|([+-](?:[01]\d|2[0-3]):[0-5]\d)))$
revoked_atrequiredstring<ISO-8601> | null
secretrequiredstring

List

GET/v1/api-keys

Query

FieldTypeNotes
limitrequiredinteger
Maximum number of items to return. Defaults to 20; maximum 100.
range 1..100
starting_afterstring
Opaque cursor from the previous response next_cursor.

Response

FieldTypeNotes
objectrequired"list"
datarequiredobject[]
has_morerequiredboolean
next_cursorrequiredstring | null

Retrieve

GET/v1/api-keys/{'{api_key_id}'}

Response

FieldTypeNotes
idrequiredstring
objectrequired"api_key"
namerequiredstring
key_prefixrequiredstring
scopesrequiredstring[]
kindrequired"standard" | "agent"
statusrequired"active" | "revoked"
environmentrequired"sandbox" | "production"
last_used_atrequiredstring<ISO-8601> | null
expires_atrequiredstring<ISO-8601> | null
created_atrequiredstring<ISO-8601>
pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z|([+-](?:[01]\d|2[0-3]):[0-5]\d)))$
revoked_atrequiredstring<ISO-8601> | null

Rename

PATCH/v1/api-keys/{'{api_key_id}'}

Request body

FieldTypeNotes
namerequiredstring
len 3..80

Response

FieldTypeNotes
idrequiredstring
objectrequired"api_key"
namerequiredstring
key_prefixrequiredstring
scopesrequiredstring[]
kindrequired"standard" | "agent"
statusrequired"active" | "revoked"
environmentrequired"sandbox" | "production"
last_used_atrequiredstring<ISO-8601> | null
expires_atrequiredstring<ISO-8601> | null
created_atrequiredstring<ISO-8601>
pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z|([+-](?:[01]\d|2[0-3]):[0-5]\d)))$
revoked_atrequiredstring<ISO-8601> | null

Rotate

POST/v1/api-keys/{'{api_key_id}'}/rotate

Rotation returns the new secret once and invalidates the previous secret hash. Update clients before revoking fallback keys.

Response

FieldTypeNotes
idrequiredstring
objectrequired"api_key"
namerequiredstring
key_prefixrequiredstring
scopesrequiredstring[]
kindrequired"standard" | "agent"
statusrequired"active" | "revoked"
environmentrequired"sandbox" | "production"
last_used_atrequiredstring<ISO-8601> | null
expires_atrequiredstring<ISO-8601> | null
created_atrequiredstring<ISO-8601>
pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z|([+-](?:[01]\d|2[0-3]):[0-5]\d)))$
revoked_atrequiredstring<ISO-8601> | null
secretrequiredstring

Revoke

DELETE/v1/api-keys/{'{api_key_id}'}

Revocation is idempotent. Already revoked keys return their existing revoked state.

Response

FieldTypeNotes
idrequiredstring
objectrequired"api_key"
namerequiredstring
key_prefixrequiredstring
scopesrequiredstring[]
kindrequired"standard" | "agent"
statusrequired"active" | "revoked"
environmentrequired"sandbox" | "production"
last_used_atrequiredstring<ISO-8601> | null
expires_atrequiredstring<ISO-8601> | null
created_atrequiredstring<ISO-8601>
pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z|([+-](?:[01]\d|2[0-3]):[0-5]\d)))$
revoked_atrequiredstring<ISO-8601> | null

Environment binding

Sandbox keys can only access sandbox environments. Production keys can only access production environments. Cross-environment requests are rejected before business logic runs.

Scopes

Keys carry explicit scopes such as messages:write, templates:read, and webhooks:write. Create the narrowest key your integration needs.