Skip to main content
ApiKey represents a long-lived programmatic credential scoped to a workspace (and optionally to a specific person/member) that authenticates API requests via the ApiKeyStrategy in the auth chain. It is created by workspace members through the POST /v1/api-keys endpoint and revoked via DELETE /v1/api-keys/:id; no PATCH route exists. Each key is linked to one or more workspace connectors via a separate api_key_workspace_connector_links join table, and those connectors are cleaned up automatically on revocation. The value field is the raw bearer secret โ€” it is only surfaced once at creation; all subsequent list responses return a masked_key derived from it.
Internal object. Not currently exposed on the public REST API. The operations below describe the intended contract.

API operations

Data model

Attributes

Relationships

System-computed

  • api_key_id โ€” generated via gen_random_uuid() defaultRaw on INSERT
  • created_at โ€” set by MikroORM onCreate hook, never writable
  • updated_at โ€” set by MikroORM onCreate + onUpdate hooks, never writable
  • value โ€” generated server-side by ApiKeyService (random secure secret); returned once at creation, never again
  • last_used_at โ€” stamped by ApiKeyStrategy on each successful auth pass, not user-writable
  • is_active โ€” defaults to true on INSERT; set to false by ApiKeyService.revokeApiKey() on DELETE, not directly patchable

Example

Source: apps/api/src/database/entities/ApiKey.ts ยท domain: platform ยท tier: Platform