Skip to main content
API keys let scripts and external tools authenticate to the Keystroke platform without an interactive browser session. They belong to an organization and act as the user who created them. Use Settings > API keys to create, copy, review, and revoke keys for the active organization.

What API keys can access

Organization API keys authenticate to platform APIs for the organization they were created in. The key inherits the creator’s organization role and access. That means a key created by an admin can access admin-level platform APIs, while a key created by a builder is limited to builder-level access. API keys can be sent as:
Authorization: Bearer <api-key>
x-api-key: <api-key>
Some webhook-style endpoints also accept ?token= or ?api_key= query parameters. Prefer headers for new scripts.

API keys and the CLI

API keys have nothing to do with CLI access today. The CLI is authenticated and accessed at the user level, not with org-scoped API keys. When you run keystroke auth login, you authenticate as a user. From there, the CLI can access every organization you belong to and switch between them. It is not scoped to a single organization the way an API key is. So use API keys for scripts and external tools hitting the platform API, and use keystroke auth login for CLI work like keystroke deploy.

Create a key

Create API keys from the web app or the CLI.
keystroke api-key create --name "Production automation"
The secret is shown only when the key is created. Copy it immediately and store it somewhere safe. After you close the reveal dialog or lose the CLI output, Keystroke only shows the key preview. The API keys table shows:
ColumnWhat it means
NameThe label you gave the key
Key previewA non-secret preview for identifying the key
Created atWhen the key was created
Created byThe member who created the key, when your role can see it

Visibility and permissions

API key visibility depends on your organization role:
RoleWhat it can do
OwnerView all keys, create keys, and revoke any key
AdminView all keys, create keys, and revoke any key
BuilderCreate keys and view keys they created
Any member can revoke their own keys. Owners and admins can revoke keys created by other members.

Revoke a key

Revoke a key when it is no longer needed, when a teammate leaves, or when you think the secret may have been exposed.
keystroke api-key list
keystroke api-key revoke <api-key-id> --yes
Revocation takes effect immediately. Any requests using that key will stop authenticating.

Use keys in scripts

Store the key in an environment variable and pass it as a header:
export KEYSTROKE_API_KEY="key_live_..."
export KEYSTROKE_PLATFORM_URL="https://<your-platform-url>"

curl "$KEYSTROKE_PLATFORM_URL/api/projects" \
  -H "Authorization: Bearer $KEYSTROKE_API_KEY"
Use separate keys for separate scripts or environments. Naming keys clearly makes it easier to revoke the right one later.

Next steps

Members

Understand the organization roles API keys inherit.

Organization

Manage organization-wide settings.

CLI reference

See the API key command reference.

Credentials

Store runtime credentials for agents and workflows.