API: Keys
Flapjack REST API endpoints for creating, listing, and revoking API keys.
Manage API keys for programmatic access to the Flapjack API.
List Keys
GET /api/keys
List all API keys for your organization.
Note: Key management endpoints require user authentication (Supabase JWT). API keys (fj_live_*) are rejected with 403 FORBIDDEN.
curl https://api.flapjack.dev/api/keys \
-H "Authorization: Bearer <supabase-jwt>"
Response 200:
[
{
"id": "key-001",
"prefix": "fj_live_a3b2...",
"name": "Production",
"last_used_at": "2026-03-28T11:00:00Z",
"created_at": "2026-03-01T00:00:00Z"
}
]
Note: The full key is never returned in list responses. Only the prefix is shown.
Create Key
POST /api/keys
Generate a new API key.
Request body:
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Label for the key (returns MISSING_NAME if absent) |
curl -X POST https://api.flapjack.dev/api/keys \
-H "Authorization: Bearer <supabase-jwt>" \
-H "Content-Type: application/json" \
-d '{"name": "Production"}'
Response 201:
{
"id": "key-002",
"key": "fj_live_abc123def456...",
"prefix": "fj_live_abc123...",
"name": "Production",
"created_at": "2026-03-28T12:00:00Z"
}
Important: key is returned only once at creation time. Store it securely. If lost, revoke the key and create a new one.
π Copy as prompt
Create a new Flapjack API key via the API. POST to
/api/keyswith an optional name. Save therawKeyfrom the response β it's only shown once.
Revoke Key
DELETE /api/keys/{keyId}
Permanently revoke an API key. This takes effect immediately.
curl -X DELETE https://api.flapjack.dev/api/keys/key-001 \
-H "Authorization: Bearer <supabase-jwt>"
Response 200:
{ "ok": true }
Key Format
All Flapjack API keys follow this format:
fj_live_<random_hex>
The fj_live_ prefix identifies the key as a Flapjack API key. Keys are stored as SHA-256 HMAC hashes β Flapjack never stores the raw key.
Next Steps
- Concepts: Authentication β security model
- API: Overview β base URL, errors