API Key Endpoints
The API key endpoints manage the full lifecycle of programmatic access keys, including creation, validation, scoping, rotation, and revocation. Served by ApiKeyController at /api/v1/api-keys.
Endpoints
| Method | Endpoint | Description | Role |
|---|---|---|---|
| POST | /api/v1/api-keys | Create API key | Any |
| GET | /api/v1/api-keys | List user's keys | Any |
| GET | /api/v1/api-keys/tenant | List tenant keys | Admin |
| POST | /api/v1/api-keys/validate | Validate a key | Any |
| DELETE | /api/v1/api-keys/:keyId | Revoke a key | Owner |
| DELETE | /api/v1/api-keys/user/:userId/all | Revoke all user keys | Admin |
| PATCH | /api/v1/api-keys/:keyId/scopes | Update key scopes | Owner |
| PATCH | /api/v1/api-keys/:keyId/ip-whitelist | Update IP whitelist | Owner |
| PATCH | /api/v1/api-keys/:keyId/rate-limit | Update rate limit | Owner |
| GET | /api/v1/api-keys/expiring | Get expiring keys | Admin |
| GET | /api/v1/api-keys/scopes | Get available scopes | Any |
| POST | /api/v1/api-keys/:keyId/rotate | Initiate key rotation | Owner |
| GET | /api/v1/api-keys/:keyId/rotation-status | Get rotation status | Owner |
| POST | /api/v1/api-keys/:keyId/rotation/cancel | Cancel rotation | Owner |
| POST | /api/v1/api-keys/:keyId/rotation/complete | Complete rotation now | Owner |
| GET | /api/v1/api-keys/rotation-recommendations | Get rotation recommendations | Any |
POST /api/v1/api-keys
Creates a new API key. The full key value is returned only once at creation time.
{
"name": "CI Pipeline Key",
"description": "Used by CI/CD pipeline for deployments",
"scopes": ["queries:read", "queries:execute"],
"keyType": "service",
"testMode": false,
"expirationDays": 90,
"ipWhitelist": ["10.0.0.0/8"],
"rateLimit": 1000
}| Status | Description |
|---|---|
| 201 | Key created, full key value returned |
| 400 | Invalid request or scope |
| 429 | API key limit exceeded for the user |
Key Rotation
Rotation creates a new key and schedules the old key for revocation after a grace period. During the grace period, both keys are valid.
- Initiate:
POST /api/v1/api-keys/:keyId/rotate-- returns the new key - Check status:
GET /api/v1/api-keys/:keyId/rotation-status - Complete early:
POST /api/v1/api-keys/:keyId/rotation/complete-- revokes old key immediately - Cancel:
POST /api/v1/api-keys/:keyId/rotation/cancel-- keeps old key, revokes new key
Error Codes
| Code | Status | Description |
|---|---|---|
API_KEY_NOT_FOUND | 404 | Key does not exist |
API_KEY_LIMIT_EXCEEDED | 429 | Maximum key count reached |
DUPLICATE_KEY_NAME | 409 | Key name already in use |
INVALID_SCOPE | 400 | Requested scope is not valid |
ROTATION_IN_PROGRESS | 409 | Another rotation is already active |
NO_ROTATION_IN_PROGRESS | 404 | No active rotation to cancel or complete |