API Key Management
API keys authenticate all requests to the Skillett API. Keys are scoped per user and can be restricted to specific integrations.
GET /api-keys
Section titled “GET /api-keys”List all API keys for the authenticated user. Key hashes are never exposed.
Authentication
Section titled “Authentication”Required. Session auth (dashboard) or Bearer token.
Response
Section titled “Response”[ { "id": "key_abc123", "name": "Production", "key_prefix": "sk_a1b2c3d4", "scopes": ["*"], "last_used_at": "2026-04-08T10:30:00Z", "expires_at": null, "revoked_at": null, "created_at": "2026-03-01T09:00:00Z" }]Response fields
Section titled “Response fields”| Field | Type | Description |
|---|---|---|
id | string | Key ID |
name | string | Display name |
key_prefix | string | First 8 chars of the key (for identification) |
scopes | string[] | Access scopes (["*"] = all) |
last_used_at | string|null | ISO 8601 timestamp of last use |
expires_at | string|null | Expiration date (null = never) |
revoked_at | string|null | Revocation date (null = active) |
created_at | string | Creation timestamp |
POST /api-keys
Section titled “POST /api-keys”Create a new API key.
Authentication
Section titled “Authentication”Required. Session auth (dashboard) or Bearer token.
Request
Section titled “Request”{ "name": "Production"}| Field | Type | Required | Default |
|---|---|---|---|
name | string | Yes | — |
scopes | string[] | No | ["*"] |
Response
Section titled “Response”{ "api_key": { "id": "key_abc123", "name": "Production", "key_prefix": "sk_a1b2c3d4", "scopes": ["*"], "expires_at": null, "created_at": "2026-04-08T12:00:00Z" }, "full_key": "sk_a1b2c3d4e5f6g7h8..."}Plan limits
Section titled “Plan limits”| Plan | Max API keys |
|---|---|
| Free | 1 |
| Pro | Unlimited |
| Unlimited | Unlimited |
Errors
Section titled “Errors”| Code | Error | Description |
|---|---|---|
| 401 | unauthorized | Not authenticated |
| 403 | plan_limit_reached | Maximum API keys for plan exceeded |
DELETE /api-keys/:id
Section titled “DELETE /api-keys/:id”Revoke an API key. This is a soft delete — the key is marked as revoked and can no longer be used.
Authentication
Section titled “Authentication”Required. Session auth (dashboard) or Bearer token.
Path parameters
Section titled “Path parameters”| Parameter | Type | Required | Description |
|---|---|---|---|
id | string | Yes | API key ID to revoke |
Response
Section titled “Response”HTTP 204 No Content.
Errors
Section titled “Errors”| Code | Error | Description |
|---|---|---|
| 401 | unauthorized | Not authenticated |
| 404 | not_found | Key not found or doesn’t belong to user |