Create an API key

Create a new API key. The raw key is returned once in the response and cannot be retrieved later.

POST/api/api-keys

Authorization

better-auth.session_token<token>

Cookie session from Better Auth. Requires X-Org-Id header for org-scoped routes.

In: cookie

Header Parameters

X-Org-Id?string

Organization ID. Required for cookie auth. Not needed for API key auth (org resolved from key).

Formatuuid

Request Body

application/json

name*string

Human-readable label for the key

Length1 <= length <= 100

expiresAt?|

Expiration date (must be in the future). Null or omitted for a key that never expires.

Formatdate-time

scopes?array<string>

Permission scopes for the key (e.g. agents:read, agents:run). Omit or pass empty array for full role access. Invalid or unauthorized scopes are silently filtered.

curl -X POST "https://loading/api/api-keys" \  -H "Content-Type: application/json" \  -d '{    "name": "string"  }'

{
  "id": "string",
  "key": "string",
  "keyPrefix": "string",
  "scopes": [
    "string"
  ]
}

{
  "type": "https://docs.appstrate.dev/errors/invalid-request",
  "title": "Invalid Request",
  "status": 400,
  "detail": "Field is required",
  "code": "invalid_request",
  "requestId": "req_abc123"
}

{
  "type": "https://docs.appstrate.dev/errors/unauthorized",
  "title": "Unauthorized",
  "status": 401,
  "detail": "Invalid or missing session",
  "code": "unauthorized",
  "requestId": "req_abc123"
}

{
  "type": "https://docs.appstrate.dev/errors/forbidden",
  "title": "Forbidden",
  "status": 403,
  "detail": "Insufficient permissions",
  "code": "forbidden",
  "requestId": "req_abc123"
}