API Keys

Manage API keys for your organization. Keys are hashed on creation — the raw key is returned only once and can never be retrieved again. Store it securely.

Plan requirement: API key limits vary by plan — Trial and Pro allow 1 key, Starter allows 3, Education allows 5, Professional allows 10, and Enterprise is unlimited. Personal plans do not include API key access.

GET

/v1/keys

List all API keys for your organization. Key hashes are never exposed.

Response

200 OK

{
  "keys": [
    {
      "id": "uuid",
      "name": "Production",
      "key_prefix": "ia_sk_a1b2c3",
      "rate_limit_per_minute": 60,
      "enabled": true,
      "last_used_at": "2026-01-20T14:30:00Z",
      "created_at": "2026-01-10T08:00:00Z",
      "expires_at": null
    }
  ]
}

POST

/v1/keys

Create a new API key. The raw key is returned only in this response.

Request Body

Parameter	Type	Required	Description
`name`	string	Yes	A label for this key (e.g. "Production", "Staging")
`rate_limit_per_minute`	number	No	Requests per minute (default: 60)
`expires_at`	string	No	ISO 8601 expiry date (default: never)

Create Response

201 Created

{
  "key": {
    "id": "uuid",
    "name": "Production",
    "key_prefix": "ia_sk_a1b2c3",
    "rate_limit_per_minute": 120,
    "enabled": true,
    "created_at": "2026-01-15T10:00:00Z",
    "expires_at": null
  },
  "raw_key": "ia_sk_a1b2c3d4e5f6...",
  "warning": "Store this key securely. It cannot be retrieved again."
}

The raw_key is only returned once at creation time. It is SHA-256 hashed before storage and cannot be recovered. If lost, revoke the key and create a new one.

DELETE

/v1/keys/:id

Revoke an API key. The key is disabled immediately.

Path Parameters

Parameter	Type	Required	Description
`id`	string	Yes	The key ID to revoke

Revoke Response

200 OK

{ "revoked": true }

You cannot revoke the API key that is authenticating the current request.

Revoked keys return a 401 error immediately on subsequent requests.

Examples

SDK

// Create a new key (raw key returned only once)
const { raw_key, key } = await armor.createKey({
  name: 'Production',
  rate_limit_per_minute: 120,
});
console.log(raw_key); // ia_sk_... — store this securely

// List all keys (hashes never exposed)
const keys = await armor.listKeys();

// Revoke a key
await armor.revokeKey(key.id);

cURL — Create

curl -X POST https://indigiarmor.com/v1/keys \
  -H "Authorization: Bearer ia_sk_..." \
  -H "Content-Type: application/json" \
  -d '{"name": "Staging", "rate_limit_per_minute": 30}'