Create API Key
POST
/web/v1/workspaces/{workspaceId}/api-keysJWTCreates a new API key for the specified workspace. The response includes the API key secret, which is only returned once at creation time. Clients must store the secret securely; it cannot be retrieved again.
Authentication
Auth Chain: WEB Chain — requires
Authorization: Bearer <jwt>Requires workspace OWNER role. These headers are injected by the system (frontend does nothing):X-PORTAL-ACCESS-CODE(Nginx),X-Request-Id(Gateway)
Request Parameters
| Name | Type | Required | In | Description |
|---|---|---|---|---|
workspaceId | string | Yes | path | Workspace business ID |
name | string | Yes | body | Display name for the API key (1-128 characters) |
scopes | string[] | No | body | List of API scope codes to restrict access. If empty, the key has zero access. |
mode | integer | No | body | Key mode: `1` = LIVE (default), `2` = TEST (sandbox). Only PARTNER portal can create TEST keys. |
ipWhitelist | string[] | No | body | IP whitelist. Supports single IPs (`192.168.1.100`) and CIDR notation (`192.168.1.0/24`). Empty means no IP restriction. |
Success Response
Created201
{
"version": "1.3.0",
"timestamp": 1709337600000,
"success": true,
"code": "2000",
"message": "SUCCESS",
"data": {
"apiKeyId": "sk_live_abc123",
"secret": "sk_live_**********",
"name": "Production Key",
"status": "ACTIVE",
"mode": "LIVE",
"scopes": [
"payment:read",
"payment:write"
],
"ipWhitelist": [
"192.168.1.0/24"
],
"createdAt": "2026-03-21T00:00:00Z"
}
}Error Responses
Unauthorized401
{
"success": false,
"code": "4010",
"message": "Invalid or expired token"
}Forbidden — not workspace owner403
{
"success": false,
"code": "4030",
"message": "Only workspace owner can manage API keys"
}Notes
- The
secretfield is returned only once at creation time. It cannot be retrieved again; prompt the user to save it immediately. - Only workspace OWNERs can create API keys.
- If
scopesis empty or null, the key will be denied at every API permission check (zero-scope = zero-access).