Skip to Content
API ReferenceAPI Keys

API Keys

Create and manage API keys for authenticating with the Expunct API. Each key is scoped to a single tenant.

API Key Object

FieldTypeDescription
idstringUnique key identifier
namestringHuman-readable name for the key
prefixstringFirst characters of the key (e.g. pk_live_abc...)
created_atstringISO 8601 timestamp
last_used_atstringISO 8601 timestamp of last use (null if never used)

The full key value is only returned once, at creation time.

POST /api-keys

Create a new API key. The full key is included in the response and will not be shown again.

Request Body

FieldTypeRequiredDescription
namestringYesA descriptive name for the key

Example

curl -X POST https://api.pii-redactor.dev/api/v1/api-keys \
  -H "X-API-Key: pk_live_abc123" \
  -H "Content-Type: application/json" \
  -d '{"name": "Production Backend"}'
{
  "id": "key_u1v2w3x4",
  "name": "Production Backend",
  "key": "pk_live_f8a3b2c1d4e5f6g7h8i9j0k1l2m3n4o5",
  "prefix": "pk_live_f8a...",
  "created_at": "2026-02-13T10:00:00Z",
  "last_used_at": null
}

Store the key value securely. It cannot be retrieved again after this response.

GET /api-keys

List all API keys for the current tenant. Only the prefix is shown, not the full key.

Example

curl https://api.pii-redactor.dev/api/v1/api-keys \
  -H "X-API-Key: pk_live_abc123"
[
  {
    "id": "key_u1v2w3x4",
    "name": "Production Backend",
    "prefix": "pk_live_f8a...",
    "created_at": "2026-02-13T10:00:00Z",
    "last_used_at": "2026-02-13T14:30:00Z"
  },
  {
    "id": "key_y5z6a7b8",
    "name": "CI/CD Pipeline",
    "prefix": "pk_test_d2e...",
    "created_at": "2026-02-10T08:00:00Z",
    "last_used_at": "2026-02-13T09:15:00Z"
  }
]

DELETE /api-keys/{key_id}

Revoke an API key. The key is immediately invalidated and can no longer be used for authentication.

Example

curl -X DELETE https://api.pii-redactor.dev/api/v1/api-keys/key_u1v2w3x4 \
  -H "X-API-Key: pk_live_abc123"
{
  "detail": "API key revoked"
}

This action is irreversible. Any services using the revoked key will receive 401 Unauthorized responses.

Audit LogsPseudonymization