API Key Management
Use API key management endpoints to list, create, update, rotate, and delete API keys for an organization.
API key secrets are returned only when a key is created or rotated.
List API Keys
GET /organizations/{org_id}/api_keys
Lists API keys for an organization.
Permission: api-read
Response:
{
"data": [
{
"id": "ak_...",
"name": "Production key",
"active": true,
"permissions": ["inference"],
"created_at": "2026-01-01T00:00:00Z",
"expires_at": null
}
]
}Create API Key
POST /organizations/{org_id}/api_keys
Creates an API key.
Permission: api-admin
Request:
{
"name": "CI key",
"permissions": ["api-read", "api-write"],
"expires_at": "2026-12-31T00:00:00Z"
}Fields:
| Field | Type | Required | Description |
|---|---|---|---|
name | string | No | Human-readable key name. |
permissions | string array | No | Defaults to ["inference"]. Must not be empty. |
expires_at | timestamp or null | No | Expiration time. Omit for no expiration. |
Response:
{
"data": {
"key": "sk_mxl_...",
"id": "ak_...",
"name": "CI key",
"active": true,
"permissions": ["api-read", "api-write"],
"created_at": "2026-01-01T00:00:00Z",
"expires_at": "2026-12-31T00:00:00Z"
}
}Update API Key
PATCH /organizations/{org_id}/api_keys/{key_id}
Updates an API key.
Permission: api-admin
Request:
{
"name": "New key name",
"active": false,
"permissions": ["inference", "api-read"],
"expires_at": null
}Fields:
| Field | Type | Required | Description |
|---|---|---|---|
name | string | No | New key name. |
active | boolean | No | false disables the key; true enables it. |
permissions | string array | No | Replacement permission list. Must not be empty. |
expires_at | timestamp, null, or omitted | No | Timestamp sets expiration, null clears expiration, omitted leaves unchanged. |
Response: 204 No Content
Rotate API Key
POST /organizations/{org_id}/api_keys/{key_id}/rotate
Rotates an API key secret.
Permission: api-admin
Response:
{
"data": {
"key": "sk_mxl_...",
"id": "ak_...",
"name": "Production key",
"active": true,
"permissions": ["inference"],
"created_at": "2026-01-01T00:00:00Z",
"expires_at": null
}
}Delete API Key
DELETE /organizations/{org_id}/api_keys/{key_id}
Deletes an API key.
Permission: api-admin
Response: 204 No Content
Errors
All endpoints can return:
{
"error": {
"message": "resource not found"
}
}Common statuses:
| Status | Code | When |
|---|---|---|
400 | none | Invalid JSON, empty permissions, invalid permission, or an update with no fields. |
401 | none | Authentication failed. |
403 | insufficient_api_key_permissions | API key does not have api-admin or tried to grant permissions it does not have. |
403 | forbidden | A user session tried to manage an api-admin key without owner access. |
404 | none | Organization, key, or API-key organization scope was not found. |
500 | none | Internal error. |