Format and storage
Plaintext keys are 35 characters, prefixed withkk_:
Create a key
Open API keys in the dashboard, click Create API key, choose a name and the scopes the key should hold. The platform shows the plaintext exactly once; store it in your secret manager before closing the dialog. If you prefer the API, the same operation lives atPOST /v1/auth/api-keys and is part of the dashboard surface — it requires a session cookie, not another API key.
Authenticate a request
Send the key in theAuthorization header:
api_keys row. Disabled keys, keys whose owning organization is pending deletion, or keys without the scope the endpoint requires all reject with the appropriate error code.
Rotate a key
Treat a key as compromised the moment it might have leaked (debug log, screenshot, accidental commit). Rotation is two steps:- Mint a new key with the same scopes.
- Deploy your service with the new key.
- Delete the old key from the dashboard or via
DELETE /v1/auth/api-keys/:id.
UNAUTHORIZED.
Revoke without deleting
Setenabled: false via PATCH /v1/auth/api-keys/:id if you want to disable a key without losing the audit trail (request count, creation time, name). Re-enable later by setting enabled: true.
Conventions
- One key per service or environment. Don’t share keys across staging and production.
- Name keys after where they run:
payments-prod,support-tooling,staging-bff. The dashboard uses the name to pick which key to revoke during incident response. - Avoid embedding keys in source-controlled files. Store them in your secret manager and inject at deploy time.
- Don’t use API keys in browser code. They have organization-wide scope and should never reach an end user.