API Keys & Usage
Tags: ApiKeys, Usage · Version: v1 · Stability: 🟢 Stable
API keys are the machine credential. Your backend sends X-Api-Key: <key>
to the render endpoints — no JWT, no user password. Key
management itself is JWT-only.
List API keys
GET /api/api-keys · JWT — returns the workspace's keys (metadata only; the
secret is never returned after creation).
Create an API key
POST /api/api-keys · JWT
{ "name": "production-backend" }
name is required (a human label). The response includes the secret key
value — shown only once. Store it securely; you cannot retrieve it again.
Revoke an API key
DELETE /api/api-keys/{id} · JWT — {id} is a UUID. Immediately invalidates the
key.
Usage
GET /api/usage · JWT
Returns this workspace's current-month render counts, split by source
(api vs preview). This is the same data behind the usage card in the
platform.
:::note Quota enforcement
Usage is metered but not yet enforced — there is no hard limit/402 today.
Quota enforcement (a monthly limit + 402 Payment Required when exceeded) is on
the roadmap and depends on the pricing decision.
:::
Related
- Rendering — where API keys are used.
- Authentication — the JWT lane for management.