API Key Endpoints

Manage tenant API keys for server-to-server authentication.

Create API Key

POST /api/v1/api-keys

Headers

Authorization: Bearer <adminToken>
X-Bulwark-Tenant: <tenant-id>

Body

{
  "name": "production-server",
  "scopes": ["agents:read", "agents:write", "sessions:create"],
  "expiresAt": "2027-01-01T00:00:00Z"
}

Response `201`

{
  "data": {
    "keyId": "key_01j...",
    "name": "production-server",
    "key": "bwk_live_...",
    "scopes": ["agents:read", "agents:write", "sessions:create"],
    "expiresAt": "2027-01-01T00:00:00Z",
    "createdAt": "2026-03-18T00:00:00Z"
  }
}

Important: The key value is only returned once. Store it immediately.

List API Keys

GET /api/v1/api-keys

Response `200`

{
  "data": [
    {
      "keyId": "key_01j...",
      "name": "production-server",
      "scopes": ["agents:read", "agents:write", "sessions:create"],
      "lastUsedAt": "2026-03-18T12:00:00Z",
      "expiresAt": "2027-01-01T00:00:00Z",
      "status": "active"
    }
  ]
}

Key values are never returned after creation.

Revoke API Key

DELETE /api/v1/api-keys/{keyId}

Immediately invalidates the key.

Response `200`

{
  "data": {
    "keyId": "key_01j...",
    "status": "revoked",
    "revokedAt": "2026-03-18T13:00:00Z"
  }
}

Available Scopes

| Scope | Description | |-------|-------------| | agents:read | List and get agents | | agents:write | Create and update agents | | agents:revoke | Revoke agents | | sessions:create | Create agent sessions | | sessions:read | Read session details | | vault:read | Read from token vault | | vault:write | Write to token vault | | audit:read | Read audit logs | | fga:read | Check FGA policies | | fga:write | Update FGA tuples | | admin:* | Full admin access |

API Key Endpoints

Create API Key

Headers

Body

Response 201

List API Keys

Response 200

Revoke API Key

Response 200

Available Scopes

Response `201`

Response `200`

Response `200`