API Keys
API keys authenticate all requests to the Banklyze API. Keys are scoped to your organization and must be passed in the X-API-Key request header. Each organization can have multiple keys — use separate keys for different environments, integrations, or team members so that individual keys can be revoked without disrupting others.
The full key value is only returned once at creation time. After that, only the key_prefix (first 12 characters) is exposed in list and detail responses. Store keys in a secrets manager, not in source code or environment files committed to version control.
Create a new API key for your organization. The response includes the full key value exactly once — it cannot be retrieved after this response is returned. Keys are active immediately upon creation.
Request Body
| Name | Type | Required | Description |
|---|---|---|---|
| name | string | Required | A human-readable label for this key (max 255 characters). Used to identify the key in the dashboard and list responses. |
| scopes | string[] | Default: ["read", "write"] | Permission scopes for this key: read, write. Defaults to ["read", "write"] if not specified. |
| expires_at | string (ISO 8601) | Optional | Optional expiration date-time in UTC. The key will stop authenticating requests after this time. Omit for a non-expiring key. |
Example
curl -X POST https://api.banklyze.com/v1/keys \
-H "X-API-Key: your_api_key_here" \
-H "Content-Type: application/json" \
-d '{
"name": "Production Integration"
}'Response
{
"id": 3,
"name": "Production Integration",
"key": "bkz_live_a8f3d2c1e9b47f6a0d5e2c8b1a4f7d3e",
"key_prefix": "bkz_live_a8f3",
"scopes": ["read", "write"],
"expires_at": null,
"created_at": "2026-03-04T11:00:00Z",
"message": "Store this key securely — it will not be shown again."
}Retrieve all API keys for your organization. Key values are masked in this response — only the key_prefix is returned. Keys are returned in creation order, newest last.
Query Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| page | integer | Default: 1 | Page number (1-indexed) |
| per_page | integer | Default: 25 | Results per page (max 100) |
Example
curl -X GET https://api.banklyze.com/v1/keys \
-H "X-API-Key: your_api_key_here"Response
{
"data": [
{
"id": 1,
"name": "Default Key",
"key_prefix": "bkz_live_df1a",
"scopes": ["read", "write"],
"last_used_at": "2026-03-04T09:47:12Z",
"expires_at": null,
"created_at": "2026-01-10T09:00:00Z"
},
{
"id": 2,
"name": "Read-Only Dashboard",
"key_prefix": "bkz_live_c3e9",
"scopes": ["read"],
"last_used_at": "2026-03-03T16:20:05Z",
"expires_at": "2027-01-01T00:00:00Z",
"created_at": "2026-02-01T14:30:00Z"
},
{
"id": 3,
"name": "Production Integration",
"key_prefix": "bkz_live_a8f3",
"scopes": ["read", "write"],
"last_used_at": null,
"expires_at": null,
"created_at": "2026-03-04T11:00:00Z"
}
],
"meta": {
"page": 1,
"per_page": 25,
"total": 3,
"total_pages": 1
}
}Permanently revoke an API key. All subsequent requests using this key will be rejected with a 401 Unauthorized response. Revocation is irreversible — the key cannot be restored. To temporarily disable a key, use the dashboard instead.
You cannot revoke the key that is currently authenticating this request. Use a different key or the Banklyze dashboard to revoke your active key.
Path Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| key_id | integer | Required | The unique API key ID (from the list response) |
Example
curl -X DELETE https://api.banklyze.com/v1/keys/3 \
-H "X-API-Key: your_api_key_here"Response
{
"status": "ok",
"message": "API key revoked successfully"
}