Create API Key
POST /service/{service_id}/api-key
Create a new API key for a service.
Path Parameters
| Parameter | Type | Description |
|---|---|---|
service_id | uuid | The service ID |
Request Body
Key Types
| Type | Description |
|---|---|
normal | Production API key with full permissions |
team | Team API key that can only send to team members and guest list |
test | Test API key that simulates sending without actually delivering notifications |
Response
201 Created
Get API Keys
GET /service/{service_id}/api-keys
Retrieve all API keys for a service.
Path Parameters
| Parameter | Type | Description |
|---|---|---|
service_id | uuid | The service ID |
Response
Get API Key by ID
GET /service/{service_id}/api-keys/{key_id}
Retrieve a specific API key.
Path Parameters
| Parameter | Type | Description |
|---|---|---|
service_id | uuid | The service ID |
key_id | uuid | The API key ID |
Response
Revoke API Key
POST /service/{service_id}/api-key/revoke/{api_key_id}
Revoke an API key. This sets an expiry date on the key, preventing it from being used for new requests.
Path Parameters
| Parameter | Type | Description |
|---|---|---|
service_id | uuid | The service ID |
api_key_id | uuid | The API key ID to revoke |
Response
Status Code:202 Accepted
Revoking an API key does not delete it - it sets an expiry date to prevent future use. The key will still appear in the API key list but with an expiry date set.
API Key Format
API keys follow this format:- Service ID - Identifies which service the key belongs to
- UUID1 - The actual API key ID in the database
- UUID2 - A secret value used for authentication
API Key Validation
When making requests to the public API, include the API key in the Authorization header:- The key format is correct
- The service ID in the key matches an existing service
- The API key exists and belongs to that service
- The key has not expired
- The secret portion matches what’s stored
Key Types in Detail
Normal Keys
Normal keys have full permissions to:- Send notifications to any recipient
- Use all notification types (email, SMS, letter) if service has permissions
- Access all public API endpoints
- No rate limiting beyond standard service limits
Team Keys
Team keys are restricted to:- Sending only to team members (users in the service)
- Sending to guest list recipients (for trial services)
- Cannot send to general public
- Useful for testing and development
Test Keys
Test keys:- Simulate sending without actually delivering notifications
- Useful for integration testing
- Create notification records but don’t send to providers
- Don’t count against service limits
- Validate templates and recipient formats
Best Practices
Rotate Keys Regularly
Create new keys and revoke old ones periodically for security
Use Descriptive Names
Name keys based on their purpose or application (e.g., “Production Web App”, “Staging Environment”)
Separate Environments
Use different keys for development, staging, and production
Monitor Usage
Review which keys are actively used and revoke unused keys
Related Endpoints
See also:- Service Management - Create and manage services
- Send Notifications - Using API keys to send notifications