API keys
The API keys resource manages the sk_* and pk_* tokens your workspace uses to authenticate. Use it to mint a key for a new integration, list active keys, and revoke compromised ones.
For the auth recipe, see Authentication.
All endpoints require an sk_* key — you can't bootstrap with pk_*.
Endpoints
| Method | Path | Purpose |
|---|---|---|
GET |
/v1/account/api-keys |
List keys |
POST |
/v1/account/api-keys |
Create a key |
DELETE |
/v1/account/api-keys/:id |
Revoke a key |
List
GET /v1/account/api-keys
Returns metadata only — secret values are never returned after creation. Each row has:
{
"id": "key_01HX...",
"name": "Production webhook handler",
"prefix": "sk_live_",
"last4": "9z8a",
"environment": "live",
"access": "secret",
"createdAt": "2026-05-01T10:00:00Z",
"lastUsedAt": "2026-05-13T10:39:42Z",
"revokedAt": null
}
The last4 + prefix is enough to identify which key is which in logs.
Create
POST /v1/account/api-keys
Request body
| Field | Type | Required | Description |
|---|---|---|---|
name |
string (1–100) | yes | Human label for the key ("Production CI", "Mobile app"). |
environment |
test | live |
yes | Test keys only see test data; live keys are full prod. |
access |
secret | publishable |
yes | secret = full read/write. publishable = read-only public catalogue, safe to embed in frontend code. |
Response — 201 Created
{
"data": {
"id": "key_01HX...",
"name": "Production webhook handler",
"environment": "live",
"access": "secret",
"value": "sk_live_abc123...xyz9z8a",
"createdAt": "2026-05-13T10:42:00Z"
},
"error": null,
"meta": { "requestId": "req_01HX...", "timestamp": "2026-05-13T10:42:00Z" }
}
valueis returned exactly once. Storlaunch hashes it and stores the hash — we cannot recover the key. Stash it in your secret manager immediately. If you lose it, mint a new key and revoke this one.
Revoke
DELETE /v1/account/api-keys/:id
Revokes the key immediately. Subsequent requests with that key get 401 INVALID_API_KEY. Revocation is irreversible — mint a new key to restore access.
curl -X DELETE https://storlaunch.forjio.com/api/v1/account/api-keys/key_01HX... \
-H "Authorization: Bearer sk_live_xxx"
Key types recap
| Prefix | Environment | Access | Safe to expose? |
|---|---|---|---|
pk_test_… |
Test | Read-only public catalogue | Yes (client-side JS) |
pk_live_… |
Live | Read-only public catalogue | Yes |
sk_test_… |
Test | Full account access | No |
sk_live_… |
Live | Full account access | No |
A pk_* key can only call:
GET /v1/storefront/public/*GET /v1/storefront/productsandGET /v1/storefront/products/:id
Trying anything else returns 403 FORBIDDEN.
Events
| Event type | Fires on |
|---|---|
| (none) | — |
API-key lifecycle events are intentionally not in the public outbox — they're written to the audit log instead. Subscribe via Audit log for api_key.created and api_key.revoked entries.
Next
- Authentication — the bearer-token recipe.
- Audit log — where key lifecycle events live.
- Webhook endpoints — where event delivery is configured.