> ## Documentation Index
> Fetch the complete documentation index at: https://docs-openpay.nipuntheekshana.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage API Keys

> Create, list, and revoke API keys for server-to-server authentication

API keys allow merchants to authenticate server-to-server integrations without using Bearer tokens. Each key consists of a key ID and a secret.

***

## Create API Key

<ParamField header="Authorization" type="string" required>
  Bearer token.
</ParamField>

```
POST /v1/api-keys
```

### Request Body

<ParamField body="name" type="string" required>
  A descriptive label for the API key (e.g., `Production Server`).
</ParamField>

<ParamField body="permissions" type="string[]">
  List of permission scopes. Defaults to all permissions. Options: `payments:read`, `payments:write`, `settlements:read`, `settlements:write`, `webhooks:manage`.
</ParamField>

### Example Request

```json theme={null}
{
  "name": "Production Server",
  "permissions": ["payments:read", "payments:write", "webhooks:manage"]
}
```

### Example Response (201)

```json theme={null}
{
  "id": "key_abc123",
  "name": "Production Server",
  "apiKey": "opk_live_a1b2c3d4e5f6",
  "apiSecret": "ops_live_x9y8z7w6v5u4",
  "permissions": ["payments:read", "payments:write", "webhooks:manage"],
  "createdAt": "2026-03-26T10:00:00Z"
}
```

<Warning>
  The `apiSecret` is returned only once at creation time. Store it securely -- it cannot be retrieved again.
</Warning>

***

## List API Keys

```
GET /v1/api-keys
```

Returns all API keys for the authenticated merchant. Secrets are not included in the response.

### Example Response (200)

```json theme={null}
{
  "data": [
    {
      "id": "key_abc123",
      "name": "Production Server",
      "apiKey": "opk_live_a1b2c3d4e5f6",
      "permissions": ["payments:read", "payments:write", "webhooks:manage"],
      "lastUsedAt": "2026-03-26T11:30:00Z",
      "createdAt": "2026-03-26T10:00:00Z"
    },
    {
      "id": "key_def456",
      "name": "Staging Server",
      "apiKey": "opk_test_g7h8i9j0k1l2",
      "permissions": ["payments:read"],
      "lastUsedAt": null,
      "createdAt": "2026-03-25T08:00:00Z"
    }
  ]
}
```

***

## Revoke API Key

```
DELETE /v1/api-keys/{id}
```

Permanently revokes an API key. This action cannot be undone.

### Path Parameters

<ParamField path="id" type="string" required>
  The API key identifier (e.g., `key_abc123`).
</ParamField>

### Example Response (200)

```json theme={null}
{
  "message": "API key revoked successfully"
}
```

### Error Responses

```json 404 Not Found theme={null}
{
  "error": {
    "code": "NOT_FOUND",
    "message": "API key not found"
  }
}
```
