Create a new API key
/portal/v1/accounts/{accountSlug}/applications/{appSlug}/environments/{envSlug}/api-keysAuthentication
- Bearer Token
AuthorizationJWT access token
Request body
namestringAPI key name
descriptionstringAPI key description
access_modeenum: "scoped" | "full_access"Required. `scoped` enforces the `scopes` array on every authorization check (deny if the requested permission isn't listed). `full_access` bypasses RBAC entirely within the key's Application — every permission is granted. Pick `scoped` whenever possible; `full_access` should be a deliberate choice (use cases: bootstrap automation, trusted backend services that legitimately need App-wide access). `scoped` requires a non-empty `scopes` array; `full_access` forbids `scopes`.
scopesstring[]Permission scopes this key is authorized for. Required and must be non-empty when `access_mode` is `scoped`. Must be omitted when `access_mode` is `full_access`.
expires_atstringExpiration date (ISO 8601). Omit for no expiration.
Code samples
curl -X POST "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/applications/{appSlug}/environments/{envSlug}/api-keys" \
-H "Authorization: Bearer $CANOPY_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "string",
"description": "string",
"access_mode": "scoped",
"scopes": [
"string"
],
"expires_at": "string"
}'const response = await fetch("https://api.canopy.dev/portal/v1/accounts/{accountSlug}/applications/{appSlug}/environments/{envSlug}/api-keys", {
method: "POST",
headers: {
"Authorization": "Bearer $CANOPY_TOKEN",
"Content-Type": "application/json"
},
body: JSON.stringify({
"name": "string",
"description": "string",
"access_mode": "scoped",
"scopes": [
"string"
],
"expires_at": "string"
}),
});
const data = await response.json();import requests
response = requests.post(
"https://api.canopy.dev/portal/v1/accounts/{accountSlug}/applications/{appSlug}/environments/{envSlug}/api-keys",
headers={
"Authorization": "Bearer $CANOPY_TOKEN",
"Content-Type": "application/json"
},
json={
"name": "string",
"description": "string",
"access_mode": "scoped",
"scopes": [
"string",
],
"expires_at": "string",
},
)
data = response.json()package main
import (
"bytes"
"encoding/json"
"net/http"
)
func main() {
payload := map[string]interface{}{
"name": "string",
"description": "string",
"access_mode": "scoped",
"scopes": []interface{}{
"string",
},
"expires_at": "string",
}
body, _ := json.Marshal(payload)
req, _ := http.NewRequest("POST", "https://api.canopy.dev/portal/v1/accounts/{accountSlug}/applications/{appSlug}/environments/{envSlug}/api-keys", bytes.NewBuffer(body))
req.Header.Set("Authorization", "Bearer $CANOPY_TOKEN")
req.Header.Set("Content-Type", "application/json")
resp, _ := http.DefaultClient.Do(req)
defer resp.Body.Close()
}Responses
{
"id": "string",
"name": "string",
"description": "string",
"key": "string",
"key_preview": "string",
"access_mode": "scoped",
"scopes": [
"string"
],
"expires_at": "2026-04-20T12:00:00.000Z",
"created_at": "2026-04-20T12:00:00.000Z"
}application/json
idstringnamestringdescriptionstringkeystringPlaintext API key — shown only once
key_previewstringaccess_modeenum: "scoped" | "full_access"`full_access` keys bypass RBAC entirely within the Application. `scoped` keys enforce the `scopes` array. Surface this prominently in any UI that lists keys — it's the difference between a routine integration credential and an App-wide bearer token.
scopesstring[]expires_atstring (date-time)created_atstring (date-time)