skopik

API Keys

API keys are bearer tokens for programmatic access to a workspace. Use them for servers, CLIs, automations, and other non-browser clients. Manage them with client.apiKeys.

Quick Links

Action Description
apiKeys.list() List workspace API keys.
apiKeys.create() Create an API key.
apiKeys.get() Read API key metadata.
apiKeys.update() Update an API key's name or scopes.
apiKeys.rotate() Rotate an API key secret.
apiKeys.revoke() Revoke an API key.

Use An API Key

Pass the key to createSkopikClient({ apiKey }) and the SDK sends it as a bearer token on every request. Raw HTTP callers send it themselves:

curl "$SKOPIK_API_BASE/agents" \
  -H "Authorization: Bearer $SKOPIK_API_KEY"

Store API keys like passwords. The secret is returned only when the key is created or rotated.

Scopes

Scopes limit what a key can do.

Scope family Enables
org:admin Workspace administration, members, invites, and API keys.
agents:* Agent and team reads/writes.
agents:run Dispatching agent work.
tasks:* Projects, tasks, and operations.
messages:* Conversations and messages.
files:* Uploading, reading, indexing, and summarizing files.
templates:* and skills:* Reusable templates and skills.
usage:read Workspace usage summaries.

Reference

apiKeys.list()

List API keys for the current workspace.

const { data: keys } = await client.apiKeys.list()

Returns ListResponse<ApiKey>{ data: ApiKey[] }. See ApiKey.

apiKeys.create(input)

Create a workspace API key. The response is the only time the key's secret is available — store it immediately. Grant only the scopes the consumer needs.

const { apiKey } = await client.apiKeys.create({
	name: 'CI deploy key',
	scopes: ['agents:read', 'tasks:write', 'agents:run'],
})

Parameters

Field Type Required Notes
name string Yes Human-readable key name.
scopes string[] No Granted scopes. Defaults to [].
expiresAt string No Optional ISO expiration timestamp.
metadata object No Customer metadata.

Returns { apiKey: ApiKey } — includes secret on this call only. See ApiKey.

apiKeys.get(keyId)

Read API key metadata. Reads never return the secret.

const { apiKey } = await client.apiKeys.get(keyId)

Returns { apiKey: ApiKey } — see ApiKey.

apiKeys.update(keyId, input)

Update API key metadata or scopes.

const { apiKey } = await client.apiKeys.update(keyId, {
	scopes: ['agents:read', 'tasks:write'],
})

Parameters

Field Type Required Notes
name string No New display name.
scopes string[] No Replacement scope list.
metadata object No Replacement metadata.

Returns { apiKey: ApiKey } — see ApiKey.

apiKeys.rotate(keyId)

Rotate an API key secret. The old secret stops authenticating and the new secret is returned once — update every consumer before rotating a key that is in active use.

const { apiKey } = await client.apiKeys.rotate(keyId)

Returns { apiKey: ApiKey } — includes the new secret on this call only. See ApiKey.

apiKeys.revoke(keyId)

Revoke an API key. Revoked keys stop authenticating immediately.

await client.apiKeys.revoke(keyId)

Returns nothing — resolves when the API confirms revocation (HTTP 204).

Types

ApiKey

Field Type Notes
keyId string API key id.
name string Display name.
owner string User or caller that owns the key.
orgId string Workspace id.
hashedKeyPrefix string Prefix used to identify the key without exposing the secret.
scopes string[] Granted scopes.
createdBy string Creator id.
expiresAt string | null Optional expiration timestamp.
lastUsedAt string Last use timestamp.
revokedAt string | null Revocation timestamp, if revoked.
secret string Present only in create() and rotate() responses. Store it like a password.
metadata object Customer metadata.
createdAt string ISO timestamp.
updatedAt string ISO timestamp.