← All lessons/Auth & Security
34
Auth & Security

Scoped API Keys

Create limited-permission API keys for services and revoke them independently.

Prerequisite: Lesson 33 complete

What you'll learn

  • POST /v1/admin/api-keys — name, scopes, expires_at
  • Available scopes: strand:write, strand:read, query:*, admin:api-keys, admin:agents, blob:write, blob:read
  • api_key value shown only once on creation
  • GET /v1/admin/api-keys — list all keys
  • DELETE /v1/admin/api-keys/:key_id — revoke
Challenge

Create 3 keys: write-only, read-only analytics, admin. Test each key's permissions against their scope.

Interactive Walkthrough

What you'll learn

Create limited-permission API keys for services and revoke them independently of the root key.

Create a scoped key

curl -s -X POST http://localhost:7475/v1/admin/api-keys \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer spx_root_YOUR_ROOT_KEY" \
  -d '{
    "name":   "analytics-service",
    "scopes": ["query:*"],
    "expires_at": "2027-01-01T00:00:00Z"
  }' | python3 -m json.tool

Response: `json { "key_id": "key_a1b2c3d4", "api_key": "spx_sk_9f8e7d6c...", "name": "analytics-service", "scopes": ["query:*"], "expires_at": "2027-01-01T00:00:00Z" } `

Save the api_key — it is only shown once.

Available scopes

ScopeAllows
strand:writeWrite records to any agent
strand:readRead records from any agent
query:*All query types
admin:api-keysCreate/revoke API keys
admin:agentsCreate/delete agents
blob:writeUpload blobs
blob:readDownload blobs

Use the scoped key

curl -s -X POST http://localhost:7475/v1/agents/users/query \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer spx_sk_9f8e7d6c..." \
  -d '{"type": "count"}' | python3 -m json.tool

List all keys

curl -s http://localhost:7475/v1/admin/api-keys \
  -H "Authorization: Bearer spx_root_YOUR_ROOT_KEY" \
  | python3 -m json.tool

Revoke a key

curl -s -X DELETE http://localhost:7475/v1/admin/api-keys/key_a1b2c3d4 \
  -H "Authorization: Bearer spx_root_YOUR_ROOT_KEY"

Challenge

Create three scoped keys: one for a write-only service (strand:write), one for a read-only analytics service (query:*, strand:read), one for an admin service (admin:*). Test each key's permissions.

---

← Previous
Lesson 33: Root Key & API Authentication
Next →
Lesson 35: Key Delegation & Rate Limiting