API Keys
Users can create personal API keys via Settings → API Keys for programmatic access to the platform.
Key Types
Type | Description |
|---|---|
Personal | Inherits all user permissions within the tenant |
Dataset-scoped | Restricted to selected datasets only (min. 1 dataset required) |
Security Model
Keys are stored as HMAC-SHA256 hashes — non-reversible, cannot be recovered
The raw key is shown once at creation time — save it immediately
Keys are identified by a random UUID — no part of the token is exposed in the database or UI
Optional expiration date — expired keys are rejected at authentication time
Keys are tenant-scoped and user-owned — a key only works within its tenant context
API Endpoints
Method | Path | Description |
|---|---|---|
|
| Create a new API key |
|
| List user's keys in current tenant |
|
| Revoke a key by its UUID |
All endpoints require authentication via Authorization: Bearer <jwt>.
Create Key
Request:
Field | Type | Required | Description |
|---|---|---|---|
| string | No | Human-readable label |
| string | Yes |
|
| string[] | Conditional | Required when |
| datetime | No | ISO 8601 expiry (null = never expires) |
Response:
List Keys
Response:
Note: The raw token is never returned in list responses.
Usage
Use the key as a Bearer token in the Authorization header:
Works with:
MCP server (
/mcp/)OpenAI-compatible chat API (
/v1/chat/completions)Any authenticated endpoint
Credential Migration
Legacy dialog API tokens (raw values stored in database) can be migrated with:
This encrypts provider credentials and invalidates legacy plaintext dialog tokens. New keys must be issued to affected clients.