Skip to main content
POST
Create a new API key for the authenticated workspace. Pass a human-readable name and, optionally, an expires_at timestamp. The key’s raw secret — the value you send as a bearer token — is returned only in this response, so capture it immediately. The returned token is a 64-character hexadecimal string. Use it on every subsequent request as Authorization: Bearer <token>.

Authorizations

Authorization
string
header
required

Bearer authentication header of the form Bearer <token>, where <token> is your auth token.

Body

application/json
name
string
required

Human-readable label for the key, shown in the dashboard alongside its usage metrics. Required and must be non-empty (a blank name is rejected with 400). Labels do not need to be unique.

Example:

"production-pipeline"

expires_at
string<date-time>

Optional expiry, as an RFC 3339 / ISO 8601 timestamp. Once this moment passes the key stops authenticating and requests made with it receive 401. Omit the field to create a key that never expires.

Example:

"2026-12-31T23:59:59Z"

Response

API key created. The token field is present only in this response.

Returned only by Create. The same fields as an API key, plus the one-time raw token.

id
string

Unique identifier for the new key (a UUID).

Example:

"9b7e2c1a-4f3d-4a2b-8c1e-2d6f5a0b7c34"

name
string

The label you supplied.

Example:

"production-pipeline"

token
string

The raw API key — a 64-character hexadecimal string. Send it as a bearer token on every request (Authorization: Bearer <token>). Returned only in this response; Byteport stores only a hash, so it cannot be recovered later.

Example:

"7f3a9c1eb2d48056e1a7c93f0d6b8254aa31ff90c4e27b156d8e0fa39b21c7d4"

expires_at
string<date-time>

The expiry you supplied, echoed back. Omitted if the key never expires.

Example:

"2026-12-31T23:59:59Z"