Skip to main content

GET /me/api-keys

Lists keys for the current org, sorted by created_at descending. The response matches the api_keys field in GET /me. 
GET /me/api-keys[?include_revoked=true]
Authorization: Bearer <access_token>
include_revoked
boolean
default:"false"
When true, includes revoked keys (with non-null revoked_at).

POST /me/api-keys

Creates a new key. The plaintext value is returned once. 
POST /me/api-keys
Authorization: Bearer <access_token>
Content-Type: application/json

Body

{
  "name":   "laptop-dev",
  "scopes": ["*"]
}
name
string
Optional human-readable label, max 64 chars.
scopes
array[string]
default:"[\"*\"]"
Permission scopes for the new key. Default ["*"] means full access. Scoped keys (e.g. ["read"]) are reserved for future use.

Response — 201

api_key
string
Plaintext key. Store immediately.
key
object
Metadata for the key, including id, prefix, display_id, name, scopes, and timestamps.
{
  "api_key": "tex_live_eGpnAyArDoncUaK9r-sT9um__jvKEZutqpbVwsS4iJw",
  "key": {
    "id": "30a820b9-11b6-4a54-93fc-0a682c167476",
    "prefix": "tex_live_",
    "display_id": "eGpnAyAr",
    "name": "laptop-dev",
    "scopes": ["*"],
    "is_active": true,
    "created_at": "2026-05-08T09:57:02.363742",
    "last_used_at": null,
    "revoked_at": null
  }
}

DELETE /me/api-keys/{id}

Revokes a key. Returns 204 No Content. 
DELETE /me/api-keys/{id}
Authorization: Bearer <access_token>
id
string
required
The key’s UUID (the id field, not the prefix or display_id).
Revocation is irreversible. Existing JWTs created from a revoked key keep working until they expire, up to 24h after revocation.

Examples

# List active keys
curl -H "Authorization: Bearer $JWT" \
  https://api.getmetacognition.com/me/api-keys

# Mint a new one
curl -X POST -H "Authorization: Bearer $JWT" \
  -H 'content-type: application/json' \
  -d '{"name":"production"}' \
  https://api.getmetacognition.com/me/api-keys

# Revoke
curl -X DELETE -H "Authorization: Bearer $JWT" \
  https://api.getmetacognition.com/me/api-keys/a1247653-9646-4f32-b04f-72d2c0f5355b

Operational tips

  • One key per environment. Mint production, staging, and local-dev separately.
  • Alert if a key has not been used in 30 days. It may be abandoned.
  • Do not share keys across services. Give each service its own key so revocation is narrow.