| Method | Endpoint | Quick Link |
|---|---|---|
POST | /user/api-keys | Create an API key |
GET | /user/api-keys | List API keys |
DELETE | /user/api-keys/{api_key_id} | Archive an API key |
PUT | /user/api-keys/{api_key_id}/reactivate | Reactivate an API key |
Best practices
- Use one key per environment β separate keys for development, staging, and production make rotation easy and limit blast radius if a key is compromised.
- Use one key per service β this allows you to revoke a single serviceβs access without affecting others.
- Rotate keys regularly β create a new key, update your secret store, then archive the old key.
- Never hardcode keys β use environment variables or a secrets manager. Never commit keys to version control.
- Monitor
last_used_atβ keys with no recent activity may be safe to archive.