API keys

Type	Prefix	Where	What it lets you do
Publishable	pk_live_…	Browser bundle, iframe SDK	Identify your org. Cannot sign or read data.
Secret	sk_live_…	Your backend only	Call /v1/s2s/... endpoints. Treat like a password.

POST /v1/orgs/{orgID}/api-keys

{ "name": "frontend prod", "type": "publishable" }

Response includes the cleartext key once — stored hashed afterwards:

{
  "data": {
    "id": "key_xxx",
    "name": "frontend prod",
    "type": "publishable",
    "key_prefix": "pk_live_AbC1",
    "cleartext": "pk_live_AbC1XYZ…",
    "created_at": "2026-05-04T22:00:00Z"
  },
  "error": null
}

If you lose the cleartext, mint a new one and revoke the old.

GET /v1/orgs/{orgID}/api-keys

List all keys (no cleartext).

DELETE /v1/orgs/{orgID}/api-keys/{keyID}

Revoke. Subsequent requests using that key get 401 invalid_key.

Revoke writes a row to the audit log under api_key.revoked.