API: Keys

API keys provide programmatic access to the Flokk API. Keys start with sk_live_ and are shown once at creation — store them securely.

Generate a key

POST /api/v1/api-keys
{ "label": "ci-deploy" }

Response:

{
  "id": "550e8400-...",
  "key": "sk_live_Ab3xYzQ7...",
  "prefix": "sk_live_Ab3x",
  "label": "ci-deploy"
}

The key field is the full plaintext key. It is not stored by Flokk — only the SHA-256 hash is kept. Copy it now.

List keys

GET /api/v1/api-keys

Returns an array of keys with id, prefix, label, last_used, and created_at. The full key is never returned again after creation.

Revoke a key

DELETE /api/v1/api-keys/:id

Immediately invalidates the key. Any requests using it will receive 401.

Security

• Keys are hashed with SHA-256 before storage — Flokk never holds your plaintext key
• Each API call updates the last_used timestamp for auditing
• All key operations are logged in the audit log
• Rotate keys periodically — revoke old ones and generate new ones