Managing API Keys
API keys are managed through the /v1/api-keys endpoints. These endpoints accept both JWT (from the web app) and API key authentication.
Create an API key
POST /v1/api-keys
Scope: keys:manage
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Human-readable name, max 120 chars (e.g. "CI Pipeline") |
type | string | Yes | pat or wst |
scopes | string[] | Yes | Array of scope strings |
workspaceId | string | WST only | Required for workspace service tokens |
expiresAt | string | No | ISO 8601 expiry date |
The response includes a token field with the full plaintext key. This is shown only once — store it securely.
{
"data": {
"id": "key_abc123",
"name": "CI Pipeline",
"type": "pat",
"prefix": "brie_pat_a1b2c3d4",
"lastFour": "ef56",
"token": "brie_pat_a1b2c3d4e5f6...",
"scopes": ["slices:read", "slices:write"],
"createdAt": "2026-03-30T10:00:00.000Z"
}
}
List API keys
GET /v1/api-keys
Scope: keys:manage
| Parameter | Type | Description |
|---|---|---|
workspaceId | string | Optional — filter by workspace |
Returns all active (non-revoked) keys. Token values are never included.
Get API key details
GET /v1/api-keys/:id
Scope: keys:manage
Returns details including last used timestamp and IP.
Revoke an API key
DELETE /v1/api-keys/:id
Scope: keys:manage
Permanently revokes the key. Returns 200 OK:
{ "data": { "id": "key_abc123", "revokedAt": "2026-03-30T10:00:00.000Z" } }
Rotate an API key
POST /v1/api-keys/:id/rotate
Scope: keys:manage
Revokes the old key and creates a new one with the same name, type, scopes, workspace, and expiry. Returns 201 Created with the new token (shown once).
Use rotation for periodic key refresh without losing your configuration.
Limits
| Token type | Limit |
|---|---|
| PAT | 25 active keys per user |
| WST | 10 active keys per workspace |