API reference

Create an API key

Generates a new API key for the active tenant. The plaintext is returned ONCE — store it securely.

POST/v1/admin/api-keys

Requires role admin or owner.

Request

bash

curl -X POST https://api-raven-cloud.autotribes.app/v1/admin/api-keys \
  -H "Authorization: Bearer eyJ..." \
  -H "X-App-Name: raven-cloud" \
  -H "X-Tenant-Slug: acme-co" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "production server",
    "scopes": ["messages:send", "messages:read"],
    "environment": "live",
    "rateLimitRpm": 600
  }'

Body

Field	Type	Notes
`name`	string · required	Human label, e.g. "production server"
`scopes`	string[] · optional	Defaults to `["messages:send", "messages:read"]`
`environment`	`live \| test` · optional	Defaults to `live`
`rateLimitRpm`	int · optional	Per-key rate limit. Tenant default applies otherwise.
`expiresAt`	ISO-8601 · optional	Auto-expire after this date

Response

201 Created — the only time plaintext appears in any response.

json

{
  "id": "e8a4f1c2-...",
  "prefix": "rk_live_a3f7b2c1",
  "lastFour": "8c4d",
  "plaintext": "rk_live_a3f7b2c1_4Hk9mPqR2vT8XzL5wY3jN6sB1cF7gE0aD8u",
  "scopes": ["messages:send", "messages:read"],
  "name": "production server",
  "createdAt": "2026-05-01T10:23:18.114Z",
  "warning": "This is the only time the full key is shown..."
}

Security

STORE IT NOW

The full key is shown once at creation. We hash it with Argon2id and never see it again. Lose it? Revoke and create a new one — keys are cheap.