API keys
API keys let a backend service call Limen on behalf of a tenant, without a user session. They're the right credential for cron jobs, integrations, and any server you control.
Live and test keys
Keys are prefixed by environment so they're easy to tell apart and hard to misuse:
ak_live_…— production traffic.ak_test_…— development and staging.
A key is scoped to the tenant that created it and carries tenant-admin authority within it.
Issuing a key
Create keys from the Console (API keys → New key), or over the API with an existing admin credential:
curl -X POST https://api.limen.eu/v1/acme/api-keys \
-H "Authorization: Bearer <admin-access-token>" \
-H "content-type: application/json" \
-d '{ "name": "billing-worker", "environment": "live" }'
The full key is returned only in the creation response. Store it in your secret manager immediately — Limen keeps only a hash and cannot show it again.
Using a key
Send it as a bearer token, exactly like an access token:
curl https://api.limen.eu/v1/acme/users \
-H "Authorization: Bearer ak_live_…"
Revoking a key
Revoke from the Console, or over the API. Revocation takes effect immediately —
the next request with that key is rejected with 401.
curl -X DELETE https://api.limen.eu/v1/acme/api-keys/{keyId} \
-H "Authorization: Bearer <admin-access-token>"
A key acts for the whole tenant and does not expire on its own. Keep it on servers you control. For end-user authentication, use user sessions instead.
Every key creation and revocation is written to the audit log.