Skip to content
Evershell Docs

Create an API key

POST
/api-keys
 
curl --request POST \
  --url https://your-org.evershell.ai/v1/api-keys \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '{ "label": "CI runner — staging", "permission_set": "full_access" }'

Permissions: apikeys:write.

Provisions an org-scoped key via WorkOS and mirrors metadata locally. The value field is the full secret — returned exactly once in this response.

Authorizations

Section titled “Authorizations ”

Request Body required

Section titled “Request Body required ”
Media type application/json
object
label
required
string
<= 100 characters
Example 
CI runner — staging
permission_set
required

Closed-enum template that determines the perm list WorkOS attaches to the key. See API keys for the per-template scope sets and rationale.

string
Allowed values: full_access submit_observe read_only

Responses

Section titled “ Responses ”

201

Section titled “201 ”

Created

Media type application/json
object
id
required
string
label
required
string
prefix
required

Obfuscated form of the secret, safe to display

string
permission_set
required

Closed-enum template that determines the perm list WorkOS attaches to the key. See API keys for the per-template scope sets and rationale.

string
Allowed values: full_access submit_observe read_only
created_by_user_id
string
created_at
required
string format: date-time
last_used_at
string format: date-time
value
required

Full secret. Returned exactly once at create time. Lose it and you revoke + reissue — there is no read-back path.

string
Example 
{
  "id": "api_key_01HZ",
  "label": "CI runner — staging",
  "prefix": "sk_live_...wxyz",
  "permission_set": "full_access",
  "value": "sk_live_abc123def456ghi789"
}

400

Section titled “400 ”

Validation failure

Media type application/json
object
error
required
object
code
required

Closed-enum slug (e.g. permission_denied, validation_error, workspace_not_found)

string
message
required

Human-readable summary

string
request_id
required

Server-generated request id for correlating logs

string
details

Optional structured context. Validation errors land at details.fields as a per-field map.

object
key
additional properties
any
Example 
{
  "error": {
    "code": "permission_denied",
    "message": "caller lacks required scope",
    "request_id": "7f3a9c2e"
  }
}

401

Section titled “401 ”

Missing or invalid credential

Media type application/json
object
error
required
object
code
required

Closed-enum slug (e.g. permission_denied, validation_error, workspace_not_found)

string
message
required

Human-readable summary

string
request_id
required

Server-generated request id for correlating logs

string
details

Optional structured context. Validation errors land at details.fields as a per-field map.

object
key
additional properties
any
Example 
{
  "error": {
    "code": "permission_denied",
    "message": "caller lacks required scope",
    "request_id": "7f3a9c2e"
  }
}

403

Section titled “403 ”

Caller lacks the required scope, or cross-org access attempted

Media type application/json
object
error
required
object
code
required

Closed-enum slug (e.g. permission_denied, validation_error, workspace_not_found)

string
message
required

Human-readable summary

string
request_id
required

Server-generated request id for correlating logs

string
details

Optional structured context. Validation errors land at details.fields as a per-field map.

object
key
additional properties
any
Example 
{
  "error": {
    "code": "permission_denied",
    "message": "caller lacks required scope",
    "request_id": "7f3a9c2e"
  }
}

423

Section titled “423 ”

Tenant is past_due, decommissioning, or trial-expired

Media type application/json
object
error
required
object
code
required

Closed-enum slug (e.g. permission_denied, validation_error, workspace_not_found)

string
message
required

Human-readable summary

string
request_id
required

Server-generated request id for correlating logs

string
details

Optional structured context. Validation errors land at details.fields as a per-field map.

object
key
additional properties
any
Example 
{
  "error": {
    "code": "permission_denied",
    "message": "caller lacks required scope",
    "request_id": "7f3a9c2e"
  }
}