API keys

API keys let a backend service call Limen on behalf of a tenant, without a user session. They're the right credential for cron jobs, integrations, and any server you control.

Live and test keys

Keys are prefixed by environment so they're easy to tell apart and hard to misuse:

  • ak_live_… — production traffic.
  • ak_test_… — development and staging.

A key is scoped to the tenant that created it and carries tenant-admin authority within it.

Issuing a key

Create keys from the Console (API keysNew key), or over the API with an existing admin credential:

curl -X POST https://api.limen.eu/v1/acme/api-keys \
  -H "Authorization: Bearer <admin-access-token>" \
  -H "content-type: application/json" \
  -d '{ "name": "billing-worker", "environment": "live" }'
Shown once

The full key is returned only in the creation response. Store it in your secret manager immediately — Limen keeps only a hash and cannot show it again.

Using a key

Send it as a bearer token, exactly like an access token:

curl https://api.limen.eu/v1/acme/users \
  -H "Authorization: Bearer ak_live_…"

Revoking a key

Revoke from the Console, or over the API. Revocation takes effect immediately — the next request with that key is rejected with 401.

curl -X DELETE https://api.limen.eu/v1/acme/api-keys/{keyId} \
  -H "Authorization: Bearer <admin-access-token>"
Never expose a key client-side

A key acts for the whole tenant and does not expire on its own. Keep it on servers you control. For end-user authentication, use user sessions instead.

Every key creation and revocation is written to the audit log.