---
title: "API keys"
description: "Create, scope, and revoke the keys that authenticate API requests."
icon: "key"
---

> **For AI agents:** the complete documentation index is at [llms.txt](/llms.txt). Append `.md` to any page URL for its markdown version.

The **API Keys** page manages the keys your organization uses to call the API. From here you
create and revoke keys, scope them, set expiration and allowed IPs, and view per-key and
org-wide usage. A key's secret is shown once, at creation, and never again.

This page covers configuring keys in the console. For how a key authenticates a request, and
how scopes work, see [Authenticating with API keys](/platform/api-keys) and
[Resource filters](/platform/resource-filters).

<Note>
The page appears only after your organization is **bootstrapped** for API keys: a one-time
setup that provisions the key-signing infrastructure.
</Note>

## Creating a key

<Frame>
  <img src="/images/console/api-keys-create.png" alt="The Create API Key dialog" />
</Frame>

| Field | Type | Required | Notes |
|-------|------|----------|-------|
| Name | string | Yes | Label for the key |
| Expires at | date-time | No | Leave blank for no expiry |
| Scopes | list | Yes | One or more `action` + `resource filter` pairs |
| Allowed IP CIDRs | list | No | Defaults to allow-all (`0.0.0.0/0` and `::/0`) |

### Scopes

Each scope is an **action** plus a **resource filter**.

| Action | Meaning |
|--------|---------|
| `read` | Read access |
| `write` | Create, update, delete |
| `admin` | Administrative actions |
| `*` | Any action |

The resource filter limits which resources the action applies to. Clear it to mean all
resources (`*`). See [Resource filters](/platform/resource-filters) for the path syntax.

### Allowed IPs

Restrict a key to specific networks with CIDR ranges. IPv4 and IPv6 rules are matched
independently. A wildcard range (`0.0.0.0/0` or `::/0`) accepts all addresses of that
version, which the form flags with a warning.

## States

### Key status

| Status | Meaning |
|--------|---------|
| `Active` | Usable |
| `Expired` | Past its expiration |
| `Revoked` | Permanently disabled |

Filter the list by status (default: Active), and search by name.

### One-time secret

After you create a key, its secret value is shown **once**. You must acknowledge that you've
copied it before continuing. The secret is never retrievable again. If you lose it, revoke the
key and create a new one.

### Editing and revoking

- Editing scopes or allowed IPs can immediately break calls made with that key. The form
  warns before you save.
- Revoking a key is permanent. To remove a key, revoke it.

## API

<Note>
Key management endpoints are **coming soon** to the v2 API. For now, create, scope, and revoke
keys in the console. The created secret is shown once, at creation.
</Note>