API Keys
Manage API credentials for server-to-server communication.
POST /api-keysGET /api-keysDELETE /api-keys/:id
API Key Format
mk_live_abc123...
Live (production) keys start with mk_live_
mk_test_xyz789...
Test (sandbox) keys start with mk_test_
POST
/api-keysCreate a new API key with specified scopes and rate limits.
Request Body:
| Field | Type | Description |
|---|---|---|
name * | string | Descriptive name for the key |
scopes | string[] | Permission scopes (default: all) |
rateLimitPerMinute | number | Custom rate limit (default: 60) |
Available Scopes:
bookings:readbookings:writeevent_types:readevent_types:writeavailability:readavailability:writeteam:readteam:write
// Request
{
"name": "Production Server",
"scopes": ["bookings:read", "bookings:write"],
"rateLimitPerMinute": 100
}
// Response (201 Created)
{
"apiKey": "mk_live_abc123def456ghi789...",
"key": {
"id": "key_abc123",
"name": "Production Server",
"keyPrefix": "mk_live_abc12",
"scopes": ["bookings:read", "bookings:write"],
"rateLimitPerMinute": 100,
"createdAt": "2024-01-15T10:00:00Z"
}
}⚠️ Store Your Key Securely
The full API key is only shown once in the creation response. Copy it immediately and store it in a secure location (e.g., environment variables, secrets manager). We do not store the full key and cannot retrieve it later.
GET
/api-keysList all API keys for the organization. Only the key prefix is returned (never the full key).
// Response (200 OK)
{
"keys": [
{
"id": "key_abc123",
"name": "Production Server",
"keyPrefix": "mk_live_abc12",
"scopes": ["bookings:read", "bookings:write"],
"lastUsedAt": "2024-01-20T10:00:00Z",
"createdAt": "2024-01-15T10:00:00Z"
}
],
"totalCount": 1
}DELETE
/api-keys/:idImmediately revoke an API key. Any requests using this key will fail with 401 Unauthorized.
When to revoke:
- Key has been accidentally exposed
- Employee with access has left
- Key is no longer needed
- Rotating keys as a security practice