API Keys
API Keys Module
Manage programmatic access tokens for external integrations and developer tools.
Description
The API Keys module allows users to generate long-lived access tokens for programmatic interaction with the VeriWorkly API.
Unlike session-based authentication which is designed for browser use, API Keys are intended for CLI tools, CI/CD pipelines, and personal automation scripts.
Security Model
To protect your account, VeriWorkly implements a strict visibility policy for keys:
- One-Time Secret: The raw API key is only returned once (during the
POSTcreation request). It is never stored in plain text in a way that can be retrieved later. - Masking: List operations return a masked version of the key (e.g.,
vw_abc1...xyz9) to allow you to identify keys without exposing them. - Rate Limiting: Each API key has an associated rate limit (default: 20 req/15min) to prevent abuse and ensure platform stability.
Key Lifecycle
| Action | Description |
|---|---|
| Creation | Generate a key with a custom name, scopes, and a capped rate limit. Store the secret immediately. |
| Usage | Include the key in the X-API-Key header for all requests. |
| Rotation | Replace a key with updated settings and revoke the old one immediately. |
| Soft revoke | Disable a key without removing its database record. |
| Deletion | Permanently remove a key when it should never be used again. |
Available Endpoints
Get/api-keys
List API Keys
View all API keys associated with your account in a masked format.
Post
/api-keysCreate API Key
Generate a new secret token for programmatic access.
Post
/api-keys/{id}/rotate
Rotate API Key
Revoke the old key and generate a replacement with updated settings.
Post
/api-keys/{id}/revoke
Revoke API Key
Disable a key immediately without deleting its database record.
Delete/api-keys/{id}
Delete API Key
Permanently remove an API key from the database.