Skip to main content

API Keys API

All endpoints verified working via curl. Document updated only after curl confirmation.

:::tip Generate your first key in the dashboard Most people never call POST /api-keys directly — go to Account & keys → New key in the web app, copy it (shown once), and export it as $ACRUXCORE_API_KEY. Every endpoint in this reference authenticates with Authorization: Bearer $ACRUXCORE_API_KEY. The endpoints below matter once you want to create or revoke additional keys from a script. :::


POST /api/v1/api-keys

Full key is returned only here — it's not retrievable afterwards.

curl -X POST "$ACRUXCORE_BASE_URL/api-keys" \
-H "Authorization: Bearer $ACRUXCORE_API_KEY" \
-H "Content-Type: application/json" \
-d '{"name":"my-dev-key"}'

Response (status 201):

{
"id": "21ef4fd3-e386-4026-8470-2cbe7c650e06",
"key": "58012951ebbf22406876ae7dd44618143edded27786239f682eae7dcabbf924a",
"name": "my-dev-key",
"createdAt": "2026-06-23T15:30:37.806Z"
}

GET /api/v1/api-keys

Full key never returned — only lastFour.

curl -H "Authorization: Bearer $ACRUXCORE_API_KEY" "$ACRUXCORE_BASE_URL/api-keys"

Response (status 200):

[
{ "id": "21ef4fd3-e386-4026-8470-2cbe7c650e06", "name": "my-dev-key", "lastFour": "924a", "createdAt": "2026-06-23T15:30:37.806Z" }
]

DELETE /api/v1/api-keys/:id

Soft-revokes the key (sets revoked_at); it immediately stops authenticating. You can only revoke keys in your own team.

curl -X DELETE "$ACRUXCORE_BASE_URL/api-keys/9d4a12f2-8a6a-4a5c-a1d5-708676196c1e" \
-H "Authorization: Bearer $ACRUXCORE_API_KEY"

Response (status 204) — no body. The id disappears from GET /api/v1/api-keys.

Unknown id (or a key in another team) returns 404:

{ "error": { "code": "NOT_FOUND", "message": "API key not found." } }