34
Auth & SecurityScoped API Keys
Create limited-permission API keys for services and revoke them independently.
Prerequisite: Lesson 33 complete
What you'll learn
- ✓POST /v1/admin/api-keys — name, scopes, expires_at
- ✓Available scopes: strand:write, strand:read, query:*, admin:api-keys, admin:agents, blob:write, blob:read
- ✓api_key value shown only once on creation
- ✓GET /v1/admin/api-keys — list all keys
- ✓DELETE /v1/admin/api-keys/:key_id — revoke
Challenge
Create 3 keys: write-only, read-only analytics, admin. Test each key's permissions against their scope.
Interactive Walkthrough
What you'll learn
Create limited-permission API keys for services and revoke them independently of the root key.
Create a scoped key
curl -s -X POST http://localhost:7475/v1/admin/api-keys \
-H "Content-Type: application/json" \
-H "Authorization: Bearer spx_root_YOUR_ROOT_KEY" \
-d '{
"name": "analytics-service",
"scopes": ["query:*"],
"expires_at": "2027-01-01T00:00:00Z"
}' | python3 -m json.toolResponse:
`json
{
"key_id": "key_a1b2c3d4",
"api_key": "spx_sk_9f8e7d6c...",
"name": "analytics-service",
"scopes": ["query:*"],
"expires_at": "2027-01-01T00:00:00Z"
}
`
Save the api_key — it is only shown once.
Available scopes
| Scope | Allows |
|---|---|
strand:write | Write records to any agent |
strand:read | Read records from any agent |
query:* | All query types |
admin:api-keys | Create/revoke API keys |
admin:agents | Create/delete agents |
blob:write | Upload blobs |
blob:read | Download blobs |
Use the scoped key
curl -s -X POST http://localhost:7475/v1/agents/users/query \
-H "Content-Type: application/json" \
-H "Authorization: Bearer spx_sk_9f8e7d6c..." \
-d '{"type": "count"}' | python3 -m json.toolList all keys
curl -s http://localhost:7475/v1/admin/api-keys \
-H "Authorization: Bearer spx_root_YOUR_ROOT_KEY" \
| python3 -m json.toolRevoke a key
curl -s -X DELETE http://localhost:7475/v1/admin/api-keys/key_a1b2c3d4 \
-H "Authorization: Bearer spx_root_YOUR_ROOT_KEY"Challenge
Create three scoped keys: one for a write-only service (strand:write), one for a read-only analytics service (query:*, strand:read), one for an admin service (admin:*). Test each key's permissions.
---