> ## Documentation Index
> Fetch the complete documentation index at: https://app.keystroke.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# API keys

> Create, revoke, and use org-scoped platform API keys.

API keys let scripts and external tools authenticate to the Keystroke platform without an interactive browser session. They belong to an organization and act as the user who created them.

Use **Settings > API keys** to create, copy, review, and revoke keys for the active organization.

## What API keys can access

Organization API keys authenticate to platform APIs for the organization they were created in. The key inherits the creator's organization role and access.

That means a key created by an admin can access admin-level platform APIs, while a key created by a builder is limited to builder-level access.

API keys can be sent as:

```bash theme={null}
Authorization: Bearer <api-key>
x-api-key: <api-key>
```

Some webhook-style endpoints also accept `?token=` or `?api_key=` query parameters. Prefer headers for new scripts.

## API keys and the CLI

API keys have nothing to do with CLI access today. The CLI is authenticated and accessed at the user level, not with org-scoped API keys.

When you run `keystroke auth login`, you authenticate as a user. From there, the CLI can access every organization you belong to and switch between them. It is not scoped to a single organization the way an API key is.

So use API keys for scripts and external tools hitting the platform API, and use `keystroke auth login` for CLI work like `keystroke deploy`.

## Create a key

Create API keys from the web app or the CLI.

```bash theme={null}
keystroke api-key create --name "Production automation"
```

The secret is shown only when the key is created. Copy it immediately and store it somewhere safe. After you close the reveal dialog or lose the CLI output, Keystroke only shows the key preview.

The API keys table shows:

| Column          | What it means                                             |
| --------------- | --------------------------------------------------------- |
| **Name**        | The label you gave the key                                |
| **Key preview** | A non-secret preview for identifying the key              |
| **Created at**  | When the key was created                                  |
| **Created by**  | The member who created the key, when your role can see it |

## Visibility and permissions

API key visibility depends on your organization role:

| Role        | What it can do                                 |
| ----------- | ---------------------------------------------- |
| **Owner**   | View all keys, create keys, and revoke any key |
| **Admin**   | View all keys, create keys, and revoke any key |
| **Builder** | Create keys and view keys they created         |

Any member can revoke their own keys. Owners and admins can revoke keys created by other members.

## Revoke a key

Revoke a key when it is no longer needed, when a teammate leaves, or when you think the secret may have been exposed.

```bash theme={null}
keystroke api-key list
keystroke api-key revoke <api-key-id> --yes
```

Revocation takes effect immediately. Any requests using that key will stop authenticating.

## Use keys in scripts

Store the key in an environment variable and pass it as a header:

```bash theme={null}
export KEYSTROKE_API_KEY="key_live_..."
export KEYSTROKE_PLATFORM_URL="https://<your-platform-url>"

curl "$KEYSTROKE_PLATFORM_URL/api/projects" \
  -H "Authorization: Bearer $KEYSTROKE_API_KEY"
```

Use separate keys for separate scripts or environments. Naming keys clearly makes it easier to revoke the right one later.

## Next steps

<CardGroup cols={2}>
  <Card title="Members" href="/learn/settings/members">
    Understand the organization roles API keys inherit.
  </Card>

  <Card title="Organization" href="/learn/settings/organization">
    Manage organization-wide settings.
  </Card>

  <Card title="CLI reference" href="/cli#organization-and-access">
    See the API key command reference.
  </Card>

  <Card title="Credentials" href="/learn/credentials/overview">
    Store runtime credentials for agents and workflows.
  </Card>
</CardGroup>
