API keys
Identify the current key, then create, list, retrieve, rename, rotate, and revoke API keys from the public API.
GET /v1/account when you need to confirm which dashboard account, project, environment, and API key a bearer token belongs to. The /v1/me path is an alias for agents and clients that look for a whoami-style route.Current account
Requires a valid bearer API key but no additional scope. The response includes one dashboard owner contact for account matching, and never returns plaintext API-key secrets or the full member list.
Response
| Field | Type | Notes |
|---|---|---|
objectrequired | "account_profile" | |
organizationrequired | object | |
projectrequired | object | |
environmentrequired | object | |
api_keyrequired | object | |
dashboard_ownerrequired | object | null |
Current account alias
Alias of GET /v1/account.
Response
| Field | Type | Notes |
|---|---|---|
objectrequired | "account_profile" | |
organizationrequired | object | |
projectrequired | object | |
environmentrequired | object | |
api_keyrequired | object | |
dashboard_ownerrequired | object | null |
kind=agent API key, not an OAuth access token for public /v1/* routes. API keys can create child keys only with strict subset scopes, and API-key callers can never grant api_keys:admin. Create and rotate responses return the plaintext secret once.Agent device authorization
Create a 15-minute device request without an Authorization header. Send the dashboard owner/admin to verification_uri_complete; approval selects the target project and environment.
Request body
| Field | Type | Notes |
|---|---|---|
client_namerequired | string | len 1..80 |
environmentrequired | "sandbox" | "production" | |
scopesrequired | string[] | |
expires_at | string<ISO-8601> | pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z|([+-](?:[01]\d|2[0-3]):[0-5]\d)))$ |
Response
| Field | Type | Notes |
|---|---|---|
objectrequired | "agent_api_key_device_authorization" | |
device_coderequired | string | len 1..∞ |
user_coderequired | string | len 1..∞ |
verification_urirequired | string | |
verification_uri_completerequired | string | |
expires_inrequired | integer | range -∞..9007199254740991 |
intervalrequired | integer | range -∞..9007199254740991 |
Agent device token poll
Poll without an Authorization header using the returned device_code. HTTP 202 means the request is still pending. HTTP 200 returns the one-time API key and preflight checks. Terminal errors include invalid_device_code, device_code_expired, and authorization_denied.
Request body
| Field | Type | Notes |
|---|---|---|
grant_typerequired | "urn:ietf:params:oauth:grant-type:device_code" | |
device_coderequired | string | len 1..∞ |
Response
| Field | Type | Notes |
|---|---|---|
| No fields. | ||
Create
Request body
| Field | Type | Notes |
|---|---|---|
namerequired | string | len 1..∞ |
environmentrequired | "sandbox" | "production" | |
scopesrequired | string[] | |
expires_at | string<ISO-8601> | pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z|([+-](?:[01]\d|2[0-3]):[0-5]\d)))$ |
Response
| Field | Type | Notes |
|---|---|---|
idrequired | string | |
objectrequired | "api_key" | |
namerequired | string | |
key_prefixrequired | string | |
scopesrequired | string[] | |
kindrequired | "standard" | "agent" | |
statusrequired | "active" | "revoked" | |
environmentrequired | "sandbox" | "production" | |
last_used_atrequired | string<ISO-8601> | null | |
expires_atrequired | string<ISO-8601> | null | |
created_atrequired | string<ISO-8601> | pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z|([+-](?:[01]\d|2[0-3]):[0-5]\d)))$ |
revoked_atrequired | string<ISO-8601> | null | |
secretrequired | string |
List
Query
| Field | Type | Notes |
|---|---|---|
limitrequired | integer | Maximum number of items to return. Defaults to 20; maximum 100. range 1..100 |
starting_after | string | Opaque cursor from the previous response next_cursor. |
Response
| Field | Type | Notes |
|---|---|---|
objectrequired | "list" | |
datarequired | object[] | |
has_morerequired | boolean | |
next_cursorrequired | string | null |
Retrieve
Response
| Field | Type | Notes |
|---|---|---|
idrequired | string | |
objectrequired | "api_key" | |
namerequired | string | |
key_prefixrequired | string | |
scopesrequired | string[] | |
kindrequired | "standard" | "agent" | |
statusrequired | "active" | "revoked" | |
environmentrequired | "sandbox" | "production" | |
last_used_atrequired | string<ISO-8601> | null | |
expires_atrequired | string<ISO-8601> | null | |
created_atrequired | string<ISO-8601> | pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z|([+-](?:[01]\d|2[0-3]):[0-5]\d)))$ |
revoked_atrequired | string<ISO-8601> | null |
Rename
Request body
| Field | Type | Notes |
|---|---|---|
namerequired | string | len 3..80 |
Response
| Field | Type | Notes |
|---|---|---|
idrequired | string | |
objectrequired | "api_key" | |
namerequired | string | |
key_prefixrequired | string | |
scopesrequired | string[] | |
kindrequired | "standard" | "agent" | |
statusrequired | "active" | "revoked" | |
environmentrequired | "sandbox" | "production" | |
last_used_atrequired | string<ISO-8601> | null | |
expires_atrequired | string<ISO-8601> | null | |
created_atrequired | string<ISO-8601> | pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z|([+-](?:[01]\d|2[0-3]):[0-5]\d)))$ |
revoked_atrequired | string<ISO-8601> | null |
Rotate
Rotation returns the new secret once and invalidates the previous secret hash. Update clients before revoking fallback keys.
Response
| Field | Type | Notes |
|---|---|---|
idrequired | string | |
objectrequired | "api_key" | |
namerequired | string | |
key_prefixrequired | string | |
scopesrequired | string[] | |
kindrequired | "standard" | "agent" | |
statusrequired | "active" | "revoked" | |
environmentrequired | "sandbox" | "production" | |
last_used_atrequired | string<ISO-8601> | null | |
expires_atrequired | string<ISO-8601> | null | |
created_atrequired | string<ISO-8601> | pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z|([+-](?:[01]\d|2[0-3]):[0-5]\d)))$ |
revoked_atrequired | string<ISO-8601> | null | |
secretrequired | string |
Revoke
Revocation is idempotent. Already revoked keys return their existing revoked state.
Response
| Field | Type | Notes |
|---|---|---|
idrequired | string | |
objectrequired | "api_key" | |
namerequired | string | |
key_prefixrequired | string | |
scopesrequired | string[] | |
kindrequired | "standard" | "agent" | |
statusrequired | "active" | "revoked" | |
environmentrequired | "sandbox" | "production" | |
last_used_atrequired | string<ISO-8601> | null | |
expires_atrequired | string<ISO-8601> | null | |
created_atrequired | string<ISO-8601> | pattern: ^(?:(?:\d\d[2468][048]|\d\d[13579][26]|\d\d0[48]|[02468][048]00|[13579][26]00)-02-29|\d{4}-(?:(?:0[13578]|1[02])-(?:0[1-9]|[12]\d|3[01])|(?:0[469]|11)-(?:0[1-9]|[12]\d|30)|(?:02)-(?:0[1-9]|1\d|2[0-8])))T(?:(?:[01]\d|2[0-3]):[0-5]\d(?::[0-5]\d(?:\.\d+)?)?(?:Z|([+-](?:[01]\d|2[0-3]):[0-5]\d)))$ |
revoked_atrequired | string<ISO-8601> | null |
Environment binding
Sandbox keys can only access sandbox environments. Production keys can only access production environments. Cross-environment requests are rejected before business logic runs.
Scopes
Keys carry explicit scopes such as messages:write, templates:read, and webhooks:write. Create the narrowest key your integration needs.