Skip to main content
GET
/
v1
/
api-keys
List API keys
curl --request GET \
  --url https://api.example.com/v1/api-keys
{
  "keys": [
    {}
  ],
  "keyId": "<string>",
  "prefix": "<string>",
  "label": "<string>",
  "createdAt": {},
  "lastUsedAt": {},
  "revokedAt": {}
}
Dashboard JWT only. API keys cannot list sibling keys by design.

Response — 200 OK

keys
ApiKey[]
Every key owned by the calling business, most-recent-first. Secrets are never returned.
Each ApiKey contains:
keyId
string
Same value as prefix. Used on DELETE.
prefix
string
Safe-to-display identifier, e.g. sb_live_Pq778jCf.
label
string
The label set at creation time, if any.
createdAt
string (ISO 8601)
lastUsedAt
string (ISO 8601)
Updated best-effort on every successful auth. null if the key has never been used.
revokedAt
string (ISO 8601)
Non-null means the key is revoked and returns 403 on every request.

Example

curl "$API_BASE/api-keys" \
  -H "Authorization: Bearer $COGNITO_JWT"
Response (200)
{
  "keys": [
    {
      "keyId": "sb_live_Pq778jCf",
      "prefix": "sb_live_Pq778jCf",
      "label": "production",
      "createdAt": "2026-04-21T...",
      "lastUsedAt": "2026-04-21T...",
      "revokedAt": null
    },
    {
      "keyId": "sb_live_oldKey1",
      "prefix": "sb_live_oldKey1",
      "label": "deprecated",
      "createdAt": "2026-03-10T...",
      "lastUsedAt": "2026-04-02T...",
      "revokedAt": "2026-04-15T..."
    }
  ]
}

Errors

CodeMeaning
401Missing Authorization header, or JWT expired / invalid
403Used an API key instead of a Cognito JWT