API key management

API keys are created and managed under a business account. All key management calls require a business JWT (bearer token from api.login()).

Create a key

const { data } = await api.createApiKey({ body: { name: 'production' } });
const { key, apiKey } = data;
// key — the full secret (shown once only)
// apiKey.keyPrefix — safe to display in UIs

Store the key immediately

The full key string is only returned on creation or rotation. It cannot be retrieved again.

Rotate a key

const { data } = await api.rotateApiKey({ path: { id: apiKey.id } });
// data.key is the new secret — store it immediately

Revoke a key

await api.revokeApiKey({ path: { id: apiKey.id } });

Restrict by origin

For browser clients you can restrict which origins may use a key. Requests from unlisted origins will be rejected.

await api.addApiKeyOrigin({
  path: { id: apiKey.id },
  body: { origin: 'https://your-app.com' },
});
 
// List
const { data } = await api.listApiKeyOrigins({ path: { id: apiKey.id } });
 
// Remove
await api.removeApiKeyOrigin({ path: { id: apiKey.id, origin_id: originId } });

Audit logs

Every API call made with a key is logged. Filter by key, method, path, status class, or time window:

const { data } = await api.getLogs({
  query: {
    apiKeyId: apiKey.id,
    statusClass: 4,  // 4xx errors only
    startTime: '2026-05-01T00:00:00Z',
  },
});