Managing Keys
Create, list, update, and revoke Management API keys from the dashboard API.
Management API keys are managed by dashboard session-authenticated users only. A Management API key cannot create, update, or revoke another Management API key.
One-time reveal
plaintextKey is returned only by the create route. Store it immediately. List and
update routes return metadata only.
Routes
| Method | Path | Authentication |
|---|---|---|
GET | /api/v1/panel/api-keys | Dashboard session |
POST | /api/v1/panel/api-keys | Dashboard session |
PATCH | /api/v1/panel/api-keys/:id | Dashboard session |
POST | /api/v1/panel/api-keys/:id/revoke | Dashboard session |
Key metadata
| Field | Type | Notes |
|---|---|---|
id | string | API key record id. |
name | string | 3-64 trimmed characters. |
publicId | string | Public lookup id, for example bak_0123456789abcdef. |
keyLast4 | string | Last four characters of the full plaintext key. |
scopes | string[] | Unique Management API scopes. |
allApplications | boolean | Whether the key may access every application. |
applicationIds | string[] | Allowed application ids when allApplications is false. |
expiresAt | string | null | ISO 8601 expiration time. null means no expiration. |
revokedAt | string | null | Set after revocation. |
lastUsedAt | string | null | Last successful authentication time. |
lastUsedIp | string | null | Last successful authentication IP. |
createdAt | string | ISO 8601 timestamp. |
updatedAt | string | ISO 8601 timestamp. |
List API keys
GET /api/v1/panel/api-keys
curl "https://api.blazeauth.net/api/v1/panel/api-keys" \
-H "Cookie: session=$BLAZEAUTH_DASHBOARD_SESSION"{
"success": true,
"message": "Successfully fetched API keys.",
"data": [
{
"id": "9001",
"name": "Backend sync",
"publicId": "bak_0123456789abcdef",
"keyLast4": "W9yy",
"scopes": ["applications:read", "licenses:create"],
"allApplications": false,
"applicationIds": ["123456789"],
"expiresAt": "2026-08-10T12:00:00.000Z",
"revokedAt": null,
"lastUsedAt": "2026-05-12T10:15:00.000Z",
"lastUsedIp": "203.0.113.10",
"createdAt": "2026-05-12T09:00:00.000Z",
"updatedAt": "2026-05-12T09:00:00.000Z"
}
]
}Create API key
POST /api/v1/panel/api-keys
Rate limit: 10 creates per hour.
curl "https://api.blazeauth.net/api/v1/panel/api-keys" \
-X POST \
-H "Cookie: session=$BLAZEAUTH_DASHBOARD_SESSION" \
-H "Content-Type: application/json" \
-d '{
"name": "Backend sync",
"expiresAt": "2026-08-10T12:00:00.000Z",
"scopes": ["applications:read", "licenses:create"],
"allApplications": false,
"applicationIds": ["123456789"]
}'| Field | Type | Required | Notes |
|---|---|---|---|
name | string | Yes | 3-64 trimmed characters. |
expiresAt | string | null | No | ISO 8601 date. null creates a non-expiring key. Omitted value uses backend default behavior. |
scopes | string[] | Yes | At least one unique scope. |
allApplications | boolean | No | Defaults to false. |
applicationIds | string[] | No | Required to contain at least one id when allApplications is false. |
{
"success": true,
"message": "Successfully created API key.",
"data": {
"apiKey": {
"id": "9001",
"name": "Backend sync",
"publicId": "bak_0123456789abcdef",
"keyLast4": "W9yy",
"scopes": ["applications:read", "licenses:create"],
"allApplications": false,
"applicationIds": ["123456789"],
"expiresAt": "2026-08-10T12:00:00.000Z",
"revokedAt": null,
"lastUsedAt": null,
"lastUsedIp": null,
"createdAt": "2026-05-12T09:00:00.000Z",
"updatedAt": "2026-05-12T09:00:00.000Z"
},
"plaintextKey": "blz_mgmt_bak_0123456789abcdef_0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKL"
}
}Update API key
PATCH /api/v1/panel/api-keys/:id
All body fields are optional, but at least one field must be provided.
curl "https://api.blazeauth.net/api/v1/panel/api-keys/9001" \
-X PATCH \
-H "Cookie: session=$BLAZEAUTH_DASHBOARD_SESSION" \
-H "Content-Type: application/json" \
-d '{
"name": "Backend sync readonly",
"scopes": ["applications:read", "licenses:read"],
"allApplications": false,
"applicationIds": ["123456789"]
}'| Field | Type | Required | Notes |
|---|---|---|---|
name | string | No | 3-64 trimmed characters. |
expiresAt | string | null | No | Use null to remove expiration. |
scopes | string[] | No | At least one unique scope when provided. |
allApplications | boolean | No | If set to false, provide at least one applicationIds value. |
applicationIds | string[] | No | Unique application ids. |
{
"success": true,
"message": "Successfully updated API key.",
"data": {
"id": "9001",
"name": "Backend sync readonly",
"publicId": "bak_0123456789abcdef",
"keyLast4": "W9yy",
"scopes": ["applications:read", "licenses:read"],
"allApplications": false,
"applicationIds": ["123456789"],
"expiresAt": "2026-08-10T12:00:00.000Z",
"revokedAt": null,
"lastUsedAt": "2026-05-12T10:15:00.000Z",
"lastUsedIp": "203.0.113.10",
"createdAt": "2026-05-12T09:00:00.000Z",
"updatedAt": "2026-05-12T11:00:00.000Z"
}
}Revoke API key
POST /api/v1/panel/api-keys/:id/revoke
Revocation is immediate. Existing requests that already authenticated are not retried,
but future requests using the key fail with api_key_revoked.
curl "https://api.blazeauth.net/api/v1/panel/api-keys/9001/revoke" \
-X POST \
-H "Cookie: session=$BLAZEAUTH_DASHBOARD_SESSION"{
"success": true,
"message": "Successfully revoked API key."
}