API Keys
GET /api/v1/apps/:id/keys
List all API keys for an app.
Authentication: JWT required
curl https://api.attributehq.com/v1/apps/YOUR_APP_ID/keys \
-H "Authorization: Bearer YOUR_JWT_TOKEN"Response (200 OK):
{
"success": true,
"data": {
"keys": [
{
"id": "key_abc123",
"key_prefix": "ak_abc1...",
"name": "Production SDK Key",
"permissions": ["write"],
"rate_limit": 1000,
"created_at": "2025-01-15T10:30:00Z",
"last_used_at": "2025-01-20T15:45:00Z",
"expires_at": null
}
]
}
}POST /api/v1/apps/:id/keys
Generate a new API key.
Authentication: JWT required
curl -X POST https://api.attributehq.com/v1/apps/YOUR_APP_ID/keys \
-H "Authorization: Bearer YOUR_JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Production SDK Key",
"permissions": ["write"]
}'Request Body:
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
name | string | No | — | Label for the key |
permissions | string[] | No | ["write"] | "read", "write", "admin" |
Response (201 Created):
{
"success": true,
"data": {
"key": {
"id": "key_abc123",
"key_prefix": "ak_abc1...",
"name": "Production SDK Key",
"permissions": ["write"],
"rate_limit": 1000,
"created_at": "2025-01-15T10:30:00Z",
"last_used_at": null,
"expires_at": null,
"full_key": "ak_abc123def456ghi789"
}
}
}The full_key is returned only once at creation time. The key is hashed (bcrypt) before storage and cannot be retrieved later. If lost, generate a new key.
Key Format
ak_{keyId}_{secret}Example: ak_abc123def456ghi789
DELETE /api/v1/keys/:id
Revoke an API key. This immediately invalidates the key — any SDKs using it will receive 401 errors.
Authentication: JWT required
curl -X DELETE https://api.attributehq.com/v1/keys/key_abc123 \
-H "Authorization: Bearer YOUR_JWT_TOKEN"Response (200 OK):
{
"success": true,
"data": { "success": true }
}