API Keys

Create and manage scoped API keys for secure service-to-service authentication. Each API key can be granted specific permissions and is tied to a single tenant organization.

The API key model

The API key model contains all the information about your API keys, including their scoped permissions, usage tracking, and security metadata.

Properties

  • Name
    id
    Type
    string
    Description

    Unique identifier for the API key.

  • Name
    name
    Type
    string
    Description

    Descriptive name for the API key.

  • Name
    key
    Type
    string
    Description

    The actual API key string (only returned upon creation).

  • Name
    scopes
    Type
    array
    Description

    Array of permission scopes granted to this key.

  • Name
    description
    Type
    string
    Description

    Optional description of the key's intended use.

  • Name
    expires_at
    Type
    timestamp
    Description

    Optional expiration timestamp for the key.

  • Name
    last_used_at
    Type
    timestamp
    Description

    Timestamp of when the key was last used.

  • Name
    created_at
    Type
    timestamp
    Description

    Timestamp of when the key was created.

GET/v1/tenants/:id/api-keys

List API keys

Retrieve all API keys for a tenant with their metadata. The actual key values are never returned for security.

Optional attributes

  • Name
    active_only
    Type
    boolean
    Description

    Filter to only non-expired keys (default: false).

  • Name
    limit
    Type
    integer
    Description

    Number of results to return (default: 50, max: 100).

  • Name
    offset
    Type
    integer
    Description

    Number of results to skip for pagination.

Request

GET
/v1/tenants/tenant_01JB2M3N4P5Q6R7S8T9U0V/api-keys
curl -G https://api.sandbox.whocomply.com/v1/tenants/tenant_01JB2M3N4P5Q6R7S8T9U0V/api-keys \
  -H "Authorization: Bearer {token}" \
  -d active_only=true \
  -d limit=10

Response

{
  "success": true,
  "data": {
    "api_keys": [
      {
        "id": "key_01JB2M3N4P5Q6R7S8T9U0V",
        "name": "production-backend",
        "scopes": [
          "transactions:write",
          "accounts:read",
          "balances:read"
        ],
        "description": "Backend service for production transactions",
        "expires_at": "2026-01-15T10:30:00Z",
        "last_used_at": "2025-01-15T09:45:00Z",
        "created_at": "2025-01-15T10:30:00Z"
      },
      {
        "id": "key_02KC3M4N5P6Q7R8S9T0U1W",
        "name": "analytics-readonly",
        "scopes": [
          "accounts:read",
          "balances:read",
          "reports:read"
        ],
        "description": "Analytics dashboard read-only access",
        "expires_at": null,
        "last_used_at": null,
        "created_at": "2025-01-14T15:20:00Z"
      }
    ],
    "pagination": {
      "total": 2,
      "limit": 10,
      "offset": 0,
      "has_more": false
    }
  }
}
POST/v1/tenants/:id/api-keys

Create API key

Generate a new API key with specific scopes for your tenant. The API key is only shown once upon creation for security.

Required attributes

  • Name
    name
    Type
    string
    Description

    Descriptive name for the API key (e.g., "production-backend").

  • Name
    scopes
    Type
    array
    Description

    Array of permission scopes to grant this key.

Optional attributes

  • Name
    expires_at
    Type
    string
    Description

    Optional expiration date (ISO 8601 format).

  • Name
    description
    Type
    string
    Description

    Optional description of the key's intended use.

Request

POST
/v1/tenants/tenant_01JB2M3N4P5Q6R7S8T9U0V/api-keys
curl https://api.sandbox.whocomply.com/v1/tenants/tenant_01JB2M3N4P5Q6R7S8T9U0V/api-keys \
  -H "Authorization: Bearer {token}" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "production-backend",
    "scopes": [
      "transactions:write",
      "accounts:read",
      "balances:read"
    ],
    "description": "Backend service for production transactions",
    "expires_at": "2026-01-15T10:30:00Z"
  }'

Response

{
  "success": true,
  "data": {
    "api_key": {
      "id": "key_01JB2M3N4P5Q6R7S8T9U0V",
      "name": "production-backend",
      "key": "lsk_live_1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef",
      "scopes": [
        "transactions:write",
        "accounts:read",
        "balances:read"
      ],
      "description": "Backend service for production transactions",
      "expires_at": "2026-01-15T10:30:00Z",
      "created_at": "2025-01-15T10:30:00Z"
    }
  },
  "message": "API key created successfully"
}
DELETE/v1/tenants/:id/api-keys/:key_id

Delete API key

Permanently delete an API key. This action cannot be undone and will immediately invalidate the key across all services.

Request

DELETE
/v1/tenants/tenant_01JB2M3N4P5Q6R7S8T9U0V/api-keys/key_01JB2M3N4P5Q6R7S8T9U0V
curl -X DELETE https://api.sandbox.whocomply.com/v1/tenants/tenant_01JB2M3N4P5Q6R7S8T9U0V/api-keys/key_01JB2M3N4P5Q6R7S8T9U0V \
  -H "Authorization: Bearer {token}"

Response

{
  "success": true,
  "message": "API key deleted successfully"
}

Was this page helpful?