Create and rotate API keys
Create a new API key, rename an existing one, revoke a compromised key, and delete keys you no longer need. API keys live at the account level — each one grants the role of whoever minted it.
Prerequisites: You must be an OWNER or ADMIN. Your email must be verified — unverified users get 403 even if they have the right role. There is no auto-created Default API key for new accounts; you must create your first key explicitly.
Create a key
In the console
- Go to API Keys in the platform sidebar (
/platform/api-keys). - Click Create API Key.
- Give it a descriptive name (
ci-payments-deploy,local-mike,terraform-prod). - Optionally set an expiration date.
- Click Create.
- Copy the secret immediately. It starts with
sk_api_. The console displays it once — there's no way to retrieve it later.
Via the API
curl -X POST https://app.smplkit.com/api/v1/api_keys \
-H "Authorization: Bearer $SMPLKIT_API_KEY" \
-H "Content-Type: application/vnd.api+json" \
-d '{
"data": {
"type": "api_key",
"attributes": {
"name": "ci-payments-deploy",
"expires_at": "2027-01-01T00:00:00Z"
}
}
}'The response includes the secret in plain text in data.attributes.secret exactly once. Save it before you make any other request.
Rename a key
In the console
In the API Keys list, click the key, edit the name, save.
Via the API
curl -X PUT https://app.smplkit.com/api/v1/api_keys/$KEY_ID \
-H "Authorization: Bearer $SMPLKIT_API_KEY" \
-H "Content-Type: application/vnd.api+json" \
-d '{
"data": {
"type": "api_key",
"id": "'$KEY_ID'",
"attributes": {"name": "ci-payments-deploy-v2"}
}
}'Revoke or delete a key
Revoke and delete both stop a key from working. The difference is whether the row stays in your audit trail.
- Revoke keeps the row and marks status
REVOKED. The key stops authenticating; deployments using it begin failing. Use revoke when a key may have been exposed. - Delete soft-deletes the row, removing it from listings. Use delete for housekeeping (an old key you no longer need).
Revoke
curl -X POST https://app.smplkit.com/api/v1/api_keys/$KEY_ID/actions/revoke \
-H "Authorization: Bearer $SMPLKIT_API_KEY"Delete
curl -X DELETE https://app.smplkit.com/api/v1/api_keys/$KEY_ID \
-H "Authorization: Bearer $SMPLKIT_API_KEY"Returns 204.
Rotate a key without downtime
To replace a deployed key without authentication failures:
- Mint a new key with
POST /api/v1/api_keysand copy its secret. - Roll the new secret out to every place that uses the old one (CI, env vars, secret manager). Update one deployment, validate, then continue.
- Once nothing references the old key, revoke the old key with
POST /api/v1/api_keys/{id}/actions/revoke. - After confirming no fallout for a few days, delete the old key for cleanup.
This sequence avoids the moment-of-truth where revoking before rolling out a replacement breaks production.
Limits
- 50 API keys per account. Includes both active and revoked. Soft-deleted keys do not count.
When you hit the cap, creating returns 409 Conflict.
Verify
After creating a key:
# List keys (any role)
curl https://app.smplkit.com/api/v1/api_keys \
-H "Authorization: Bearer $SMPLKIT_API_KEY"
# Try the new key
curl https://app.smplkit.com/api/v1/users/current \
-H "Authorization: Bearer sk_api_<your_new_secret>"A 200 response with the user's profile confirms the key works.
After revoking or deleting:
curl https://app.smplkit.com/api/v1/users/current \
-H "Authorization: Bearer sk_api_<revoked_secret>"Returns 401 Unauthorized.
Related
- API keys
- Roles and permissions — what each key role can do
- Getting started — first SDK setup with a new key
- API Reference — Platform: API Keys