Create a new API key
/api/v1/api-keysAuthentication
- Bearer Token
AuthorizationJWT access token
- API Key
X-API-KeyAPI key for management-tier access
Request body
namestringAPI key name
descriptionstringAPI key description
access_modeenum: "scoped" | "full_access"Required. `scoped` enforces the `scopes` array on every authorization check (deny if the requested permission isn't listed). `full_access` bypasses RBAC entirely within the key's Application — every permission is granted. Pick `scoped` whenever possible; `full_access` should be a deliberate choice (use cases: bootstrap automation, trusted backend services that legitimately need App-wide access). `scoped` requires a non-empty `scopes` array; `full_access` forbids `scopes`.
scopesstring[]Permission scopes this key is authorized for. Required and must be non-empty when `access_mode` is `scoped`. Must be omitted when `access_mode` is `full_access`.
expires_atstringExpiration date (ISO 8601). Omit for no expiration.
Code samples
curl -X POST "https://api.canopy.dev/api/v1/api-keys" \
-H "X-API-Key: $CANOPY_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "string",
"description": "string",
"access_mode": "scoped",
"scopes": [
"string"
],
"expires_at": "string"
}'const response = await fetch("https://api.canopy.dev/api/v1/api-keys", {
method: "POST",
headers: {
"X-API-Key": "$CANOPY_API_KEY",
"Content-Type": "application/json"
},
body: JSON.stringify({
"name": "string",
"description": "string",
"access_mode": "scoped",
"scopes": [
"string"
],
"expires_at": "string"
}),
});
const data = await response.json();import requests
response = requests.post(
"https://api.canopy.dev/api/v1/api-keys",
headers={
"X-API-Key": "$CANOPY_API_KEY",
"Content-Type": "application/json"
},
json={
"name": "string",
"description": "string",
"access_mode": "scoped",
"scopes": [
"string",
],
"expires_at": "string",
},
)
data = response.json()package main
import (
"bytes"
"encoding/json"
"net/http"
)
func main() {
payload := map[string]interface{}{
"name": "string",
"description": "string",
"access_mode": "scoped",
"scopes": []interface{}{
"string",
},
"expires_at": "string",
}
body, _ := json.Marshal(payload)
req, _ := http.NewRequest("POST", "https://api.canopy.dev/api/v1/api-keys", bytes.NewBuffer(body))
req.Header.Set("X-API-Key", "$CANOPY_API_KEY")
req.Header.Set("Content-Type", "application/json")
resp, _ := http.DefaultClient.Do(req)
defer resp.Body.Close()
}Responses
{
"id": "string",
"name": "string",
"description": "string",
"key": "string",
"key_preview": "string",
"access_mode": "scoped",
"scopes": [
"string"
],
"expires_at": "2026-04-20T12:00:00.000Z",
"created_at": "2026-04-20T12:00:00.000Z"
}application/json
idstringnamestringdescriptionstringkeystringPlaintext API key — shown only once
key_previewstringaccess_modeenum: "scoped" | "full_access"`full_access` keys bypass RBAC entirely within the Application. `scoped` keys enforce the `scopes` array. Surface this prominently in any UI that lists keys — it's the difference between a routine integration credential and an App-wide bearer token.
scopesstring[]expires_atstring (date-time)created_atstring (date-time)
Errors
| Code | Status | Remediation |
|---|---|---|
| api_keys.name_conflict | 409 | |
| api_keys.invalid_scope | 400 |
Idempotency
Idempotency
Send an Idempotency-Key header to make retries safe. Canopy replays the same response for matching keys within 24 hours.
Rate limit
Emitted events
api_key.created