Use an API key or a short-lived JWT for securing requests. When both headers are provided, JWT (x-client-auth) takes precedence over API key (x-api-key).
API Key Flow
API Key operations manage long-lived keys on behalf of your client.
Create API Key
Generate a new API key for your client.
curl -X POST "https://api.useonion.xyz/v1/api-keys" \
-H "x-api-key: sk_live_..."
- x-api-key (header): Active API key for authentication
Response: 200 OK
{
"id": "key_12345",
"key": "sk_live_XXXXXXXXXXXXXXXX",
"prefix": "abcdefgh",
"createdAt": "2025-05-05T14:00:00Z"
}
List API Keys
Retrieve all API keys for your client.
curl -X GET "https://api.useonion.xyz/v1/api-keys" \
-H "x-api-key: sk_live_..."
- x-api-key (header): Active API key for authentication
Response: 200 OK
[
{
"id": "key_12345",
"prefix": "abcdefgh",
"createdAt": "2025-05-05T14:00:00Z",
"lastUsedAt": "2025-05-05T15:00:00Z",
"revokedAt": null
}
]
Revoke API Key
Invalidate an existing API key to prevent further use.
curl -X DELETE "https://api.useonion.xyz/v1/api-keys/{keyId}" \
-H "x-api-key: sk_live_..."
- x-api-key (header): Active API key for authentication
- keyId (path): The ID of the key to revoke
Response: 200 OK
Response: 404 Not Found
{ "message": "API key not found" }
