Update API key properties
Partial update — only provided fields are modified. Allows changing permissions, scope restrictions, and metadata without rotating the key secret.
MUTABLE FIELDS: - permissions: Replace the full permission set - scope_filter: Replace scope restrictions - name, description, metadata: Update display/tagging info
IMMUTABLE FIELDS: - tenant_id, key_id, key_prefix, key_hash, expires_at, status - To change expiry: revoke and recreate - To change tenant: revoke and recreate
EVENTS: - Emits api_key.permissions_changed when permissions or scope_filter change.
Authorizations
Administrative API key with full system access. Also accepted as an alternative to ApiKeyAuth on an explicit per-operation allowlist — the authoritative list is the union of operations whose security: block declares AdminKeyAuth (consult per-operation security blocks rather than this prose, which has historically drifted as the dual-auth surface expanded). When using AdminKeyAuth on list or fund endpoints, a tenant scoping parameter (typically tenant or tenant_id) is required for scoping (400 if missing) — the per-operation description specifies which. Lookup-style endpoints that uniquely identify a resource by non-tenant key (e.g. GET /v1/admin/budgets/lookup, where the (scope, unit) pair is unique) do NOT require a tenant parameter. Allowlisting is per-operation (exact method:path matching — no prefix matching, no wildcards) so new endpoints do not accidentally inherit admin-accessible status.
Parameters
Path Parameters
Request Body
Responses
Key updated