API Keys
API keys provide long-lived authentication credentials for server-to-server integrations, CI/CD pipelines, and automated workflows. Keys are scoped to a specific workspace and can be created, listed, and revoked through the API.
Endpoints
| Method | Path | Description |
|---|---|---|
GET | /api/v1/workspaces/{id}/api-keys | List all API keys |
POST | /api/v1/workspaces/{id}/api-keys | Create a new API key |
DELETE | /api/v1/workspaces/{id}/api-keys/{keyId} | Revoke an API key |
List API Keys
GET /api/v1/workspaces/{id}/api-keys
Returns all API keys for the workspace. The raw key value is never returned in list responses — only the key_prefix is shown for identification.
Response
[
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"workspace_id": "660e8400-e29b-41d4-a716-446655440000",
"name": "CI/CD Pipeline Key",
"key_prefix": "sk_live_abc1",
"status": "active",
"created_by": "770e8400-e29b-41d4-a716-446655440000",
"created_at": "2024-01-15T09:30:00Z",
"updated_at": "2024-01-15T09:30:00Z"
}
]Example
curl -X GET https://your-instance.signalsmith.io/api/v1/workspaces/{id}/api-keys \
-H "Authorization: Bearer <token>" \
-H "X-Workspace-ID: <workspace-id>"Create API Key
POST /api/v1/workspaces/{id}/api-keys
Creates a new API key for the workspace. The raw key value is returned only once in the creation response. Store it securely — it cannot be retrieved again.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Display name for the API key |
{
"name": "CI/CD Pipeline Key"
}Response
{
"id": "550e8400-e29b-41d4-a716-446655440000",
"workspace_id": "660e8400-e29b-41d4-a716-446655440000",
"name": "CI/CD Pipeline Key",
"key": "sk_live_abc123def456ghi789...",
"key_prefix": "sk_live_abc1",
"status": "active",
"created_by": "770e8400-e29b-41d4-a716-446655440000",
"created_at": "2024-01-15T09:30:00Z",
"updated_at": "2024-01-15T09:30:00Z"
}The key field is only returned in the creation response. Copy and store it securely immediately. If you lose the key, you must revoke it and create a new one.
Example
curl -X POST https://your-instance.signalsmith.io/api/v1/workspaces/{id}/api-keys \
-H "Authorization: Bearer <token>" \
-H "X-Workspace-ID: <workspace-id>" \
-H "Content-Type: application/json" \
-d '{
"name": "CI/CD Pipeline Key"
}'Revoke API Key
DELETE /api/v1/workspaces/{id}/api-keys/{keyId}
Permanently revokes an API key. Once revoked, any requests using this key will receive a 401 Unauthorized response. This action cannot be undone.
Path Parameters
| Parameter | Type | Description |
|---|---|---|
id | string (UUID) | Workspace ID |
keyId | string (UUID) | API key ID to revoke |
Response
{
"status": "revoked"
}Example
curl -X DELETE https://your-instance.signalsmith.io/api/v1/workspaces/{id}/api-keys/{keyId} \
-H "Authorization: Bearer <token>" \
-H "X-Workspace-ID: <workspace-id>"API Key Object
| Field | Type | Description |
|---|---|---|
id | string (UUID) | Unique identifier |
workspace_id | string (UUID) | Workspace the key belongs to |
name | string | Display name |
key | string | Raw key value (only in creation response) |
key_prefix | string | First few characters of the key for identification |
status | string | active or revoked |
created_by | string (UUID) | Account that created the key |
created_at | string (ISO 8601) | Creation timestamp |
updated_at | string (ISO 8601) | Last update timestamp |
Best Practices
- Name keys descriptively — Use names like “Production Sync Service” or “CI/CD Pipeline” so you can identify each key’s purpose.
- One key per integration — Create separate keys for each system that needs API access. This makes it easy to revoke access for a single integration without affecting others.
- Rotate regularly — Create a new key, update your integration, then revoke the old key.
- Store securely — Use environment variables or a secrets manager. Never commit API keys to version control.