API keys
API keys are the only credential. Every authenticated request includes Authorization: Bearer <plaintext>.
List keys
Section titled “List keys”GET /api_keysAuthorization: Bearer <key>[ { "id": "...", "prefix": "ak_live_abcd", "label": "Signup default", "client_kind": "direct", "last_used_at": "2026-04-28T10:15:00Z", "created_at": "2026-04-27T20:03:51Z" }]Plaintext is never returned by GET — only prefix. If you’ve lost a key, issue a new one and revoke the old.
Issue a new key
Section titled “Issue a new key”POST /api_keysAuthorization: Bearer <key>Content-Type: application/jsonIdempotency-Key: optional-stable-key
{ "label": "Claude Desktop", "client_kind": "mcp" }| Field | Required | Notes |
|---|---|---|
label | yes | Human-readable identifier. |
client_kind | no | One of direct (default), mcp, sdk. Used for traffic attribution in /usage. |
Response
Section titled “Response”{ "id": "...", "prefix": "ak_live_xxxx", "label": "Claude Desktop", "client_kind": "mcp", "created_at": "...", "plaintext": "ak_live_xxxx...XYZ"}The plaintext field is one-shot — never returned again.
Revoke a key
Section titled “Revoke a key”DELETE /api_keys/:idAuthorization: Bearer <key>{ "id": "...", "status": "revoked" }The endpoint refuses with 422 cannot_revoke_last_key if it would leave the account with zero active keys (lockout protection). You can revoke yourself via the same key you’re authenticating with — but only if at least one other active key exists.
Errors
Section titled “Errors”| Status | Code | When |
|---|---|---|
| 401 | unauthorized | Missing or invalid Bearer token. |
| 404 | api_key_not_found | DELETE on a key id that doesn’t exist or belongs to another account. |
| 422 | validation_failed | POST with missing label or unknown client_kind. |
| 422 | cannot_revoke_last_key | DELETE would leave zero active keys. |