Cycles

Appearance

Create an API key for a tenant

POST
/v1/admin/api-keys

Provisions a new API key bound to a tenant. This is the only time the full key secret is returned. Store it securely.
KEY FORMAT: - Prefix: cyc_live_{random} or cyc_test_{random} - Random part: 32 characters, cryptographically random - Stored as: bcrypt hash of full key
PERMISSIONS: - Default for tenant keys: [reservations:create, reservations:commit,
reservations:release, reservations:extend, reservations:list,
balances:read, budgets:read, budgets:write, policies:read,
policies:write]

  • Webhook/event self-service requires explicit opt-in:
    webhooks:read, webhooks:write, events:read are NOT in the default set.
  • This endpoint provisions tenant-scoped API keys only. The admin key
    (X-Admin-API-Key) is configured at the server level, not provisioned
    through this endpoint.
  • Admin permissions (admin:read, admin:write, and granular admin
    permissions like admin:tenants:read) are accepted for backward
    compatibility but SHOULD NOT be assigned to new tenant keys.
    Use the granular tenant permissions instead.
  • Can be restricted to specific scopes via scope_filter
    EXPIRY: - Recommended: 90 days for security - Can be set indefinitely but not recommended - Expired keys auto-fail validation

Authorizations

AdminKeyAuth

Administrative API key with full system access. Also accepted as an alternative to ApiKeyAuth on an explicit per-operation allowlist — the authoritative list is the union of operations whose security: block declares AdminKeyAuth (consult per-operation security blocks rather than this prose, which has historically drifted as the dual-auth surface expanded). When using AdminKeyAuth on list or fund endpoints, a tenant scoping parameter (typically tenant or tenant_id) is required for scoping (400 if missing) — the per-operation description specifies which. Lookup-style endpoints that uniquely identify a resource by non-tenant key (e.g. GET /v1/admin/budgets/lookup, where the (scope, unit) pair is unique) do NOT require a tenant parameter. Allowlisting is per-operation (exact method:path matching — no prefix matching, no wildcards) so new endpoints do not accidentally inherit admin-accessible status.

Type
API Key (header: X-Admin-API-Key)

Request Body

application/json
JSON
{
  
"tenant_id": "string",
  
"name": "string",
  
"description": "string",
  
"permissions": [
  
  
"string"
  
],
  
"scope_filter": [
  
  
"string"
  
],
  
"expires_at": "string",
  
"metadata": {
  
}
}

Responses

API key created

application/json
JSON
{
  
"key_id": "string",
  
"key_secret": "string",
  
"key_prefix": "string",
  
"tenant_id": "string",
  
"permissions": [
  
  
"string"
  
],
  
"created_at": "string",
  
"expires_at": "string"
}

Playground

Authorization
Body

Samples

Powered by VitePress OpenAPI