Revoke an API key
Revoke (hard-delete) an API key by id. The revoke is effective immediately on every surface — the key stops authenticating at once. An unknown, already-revoked, or cross-tenant id returns not-found; a revoke is never silently successful on a missing key.
Revoke (hard-delete) an API key by id. The revoke is effective immediately on every surface — the key stops authenticating at once. An unknown, already-revoked, or cross-tenant id returns not-found; a revoke is never silently successful on a missing key.
The per-tenant API key. Sent as the x-api-key request header. The key
is tenant-scoped.
In: header
Path Parameters
The API key's opaque id (e.g. key_…).
Response Body
application/json
application/json
application/json
application/json
application/json
curl -X DELETE "https://example.com/api-keys/string"{ "api_key_id": "string", "revoked": true}{ "name": "string", "message": "string"}{ "name": "string", "message": "string"}{ "name": "string", "message": "string"}{ "name": "string", "message": "string"}Create an inbox-scoped API key POST
Create an API key pinned to this inbox (`scope_type=inbox`). The key can only ever operate on this one inbox. Otherwise identical to creating an organization key: the raw `secret` is returned **once**, and the no-escalation and key-limit rules apply. A key not permitted this inbox, or attempting to broaden its own scope, is forbidden.
List API keys GET
List the tenant's API keys, newest-first by default, with cursor pagination. Each entry carries the name, non-secret prefix, permissions, scope, and created/last-used timestamps — **never the secret**, which is shown only once at creation.