Imports up to 1000 external API keys in one request. Returns per-item results. If at least one item succeeds, response is 200 OK. If all items fail, the endpoint returns a non-200 error. http POST /v2alpha1/admin/importedApiKeys:batchImport { \"requests\": [ {\"raw_key\": \"sk_live_abc\", \"name\": \"Stripe key\", \"actor_id\": \"user_1\"}, {\"raw_key\": \"ghp_xyz\", \"name\": \"GitHub PAT\", \"actor_id\": \"user_2\"} ] }
Verifies multiple credentials in a single request. Efficiently verifies up to 100 credentials in parallel. Each credential is verified independently; partial failures are returned. Admin access only. Cache Control (HTTP Headers): - Cache-Control: no-cache - Bypasses cache read, forces fresh DB lookup - Cache-Control: no-store - Bypasses cache read AND write (never cached) - Pragma: no-cache - Same as Cache-Control: no-cache (HTTP/1.0) The cache directive applies to every credential in the batch. http POST /v2alpha1/admin/apiKeys:batchVerify { \"requests\": [ {\"credential\": \"sk_live_abc123...\"}, {\"credential\": \"eyJhbGciOiJFZERTQSI...\"} ] }
Permanently deletes an imported key (hard delete). The key is removed from the database. Use RevokeAPIKey for soft deletion (recommended). http DELETE /v2alpha1/admin/importedApiKeys/{key_id}
Mints a short-lived JWT or Macaroon token from an API key. Works with both issued and imported keys. The derived token inherits the permissions of the parent API key. http POST /v2alpha1/admin/apiKeys:derive { \"credential\": \"eyJhbGciOiJFZERTQSI...\", \"ttl\": \"1h\" }
Retrieves details about a specific imported key. Returns metadata about the imported key. The original raw key is never returned. http GET /v2alpha1/admin/importedApiKeys/{key_id}
Retrieves details about a specific issued API key including its status, scopes, expiration, and usage statistics. The secret is never returned. http GET /v2alpha1/admin/issuedApiKeys/01HQZX9VYQKJB8XQZQXQZQXQXQ
Imports an external API key into the system. Allows importing keys from legacy systems or external providers. The raw key is hashed and stored securely (HMAC). Imported keys support token derivation (JWT/Macaroon) like issued keys. http POST /v2alpha1/admin/importedApiKeys { \"raw_key\": \"sk_live_abc123xyz\", \"name\": \"Imported Stripe Key\", \"actor_id\": \"user_123\" }
Creates a new API key for a given actor. The secret is returned only once in the response and cannot be retrieved later. Keys can be scoped with specific permissions and have optional expiration. http POST /v2alpha1/admin/issuedApiKeys { \"name\": \"production-service\", \"actor_id\": \"user_123\", \"scopes\": [\"read\", \"write\"], \"ttl\": \"8760h\" }
Lists all imported keys with filtering. Returns imported keys only (not issued keys). Supports pagination and AIP-160 filter expressions. http GET /v2alpha1/admin/importedApiKeys?page_size=50&filter=status%3DKEY_STATUS_ACTIVE
Lists issued API keys with optional filtering. Supports cursor-based pagination and AIP-160 filter expressions. Returns only issued (generated) API keys; use ListImportedAPIKeys for imported keys. http GET /v2alpha1/admin/issuedApiKeys?page_size=50&filter=actor_id%3D%22user_123%22
Immediately revokes an API key (issued or imported). Once revoked, the key can no longer be used for authentication. This operation is irreversible. Revoked keys are retained for audit purposes. http POST /v2alpha1/admin/apiKeys/01HQZX9VYQKJB8XQZQXQZQXQXQ:revoke { \"reason\": \"REVOCATION_REASON_KEY_COMPROMISE\" }
Generates a new secret for an issued API key. Creates a new API key with a new key_id and secret, and immediately revokes the old key. This is the recommended way to update scopes, metadata, or rotate credentials. For zero-downtime rotation, use this workflow instead: 1. IssueAPIKey with new credentials 2. Deploy new secret to all services 3. Verify new secret works everywhere 4. RevokeAPIKey to remove the old key http POST /v2alpha1/admin/issuedApiKeys/01HQZX9VYQKJB8XQZQXQZQXQXQ:rotate { \"scopes\": [\"read\"] }
Updates metadata, scopes, or rate limits of an imported key. Supports partial updates via the update_mask query parameter (AIP-134). Omitting update_mask is equivalent to a mask of every populated field in the body. To clear a field to its zero value, list it explicitly in update_mask and leave it unset (or empty) in the body. http PATCH /v2alpha1/admin/importedApiKeys/{key_id}?update_mask=name { \"imported_api_key\": { \"key_id\": \"{key_id}\", \"name\": \"New name\" } }
Updates metadata, scopes, or rate limits of an issued key without rotating the secret. Use RotateIssuedAPIKey to change the secret. Follows AIP-134: the request body is the IssuedAPIKey resource itself, and the update_mask query parameter names the subset of fields to apply. Omitting update_mask is equivalent to a mask of every populated field in the body. To clear a field to its zero value, list it explicitly in update_mask and leave it unset (or empty) in the body. http PATCH /v2alpha1/admin/issuedApiKeys/01HQZX9VYQKJB8XQZQXQZQXQXQ?update_mask=scopes { \"issued_api_key\": { \"key_id\": \"01HQZX9VYQKJB8XQZQXQZQXQXQ\", \"scopes\": [\"read\"] } }
Verifies a single API key or derived token. Validates the credential’s signature, expiration, and revocation status. Works with any credential type (issued keys, imported keys, JWT, macaroon). The verification result includes decoded claims and metadata — admin access only. Cache Control (HTTP Headers): - Cache-Control: no-cache - Bypasses cache read, forces fresh DB lookup - Cache-Control: no-store - Bypasses cache read AND write (never cached) - Pragma: no-cache - Same as Cache-Control: no-cache (HTTP/1.0) http POST /v2alpha1/admin/apiKeys:verify { \"credential\": \"sk_live_abc123...\" }
Returns the JSON Web Key Set for token verification. Provides the public keys needed to verify JWT tokens issued by this service. Keys are loaded from configuration (file://, https://, or base64:// URIs). Follows the JWKS standard (RFC 7517). http GET /v2alpha1/derivedKeys/jwks.json
Proof-of-possession variant of revocation. Lives alongside AdminRevokeAPIKey in this service; the Self* prefix on the request/response messages disambiguates from the admin variant’s RevokeAPIKeyRequest. Allows an API key holder to revoke their own key. The caller must provide the full API key secret as proof of possession. Supports issued API keys and imported keys. JWT and macaroon tokens cannot be self-revoked (they are stateless). The PRIVILEGE_WITHDRAWN reason is not allowed for self-revocation (admin-only). http POST /v2alpha1/apiKeys:selfRevoke { \"credential\": \"sk_live_abc123...\", \"reason\": \"REVOCATION_REASON_KEY_COMPROMISE\" }