Organization API Keys
API keys are the recommended credential for server-to-server use. Each key is scoped to a single organization and automatically resolves that org’s billing account on every request — no X-Org-ID header needed.
Key format
Section titled “Key format”All keys start with sk- and are shown once at creation time. Store them in your secret manager — they can’t be retrieved again.
Creating a key
Section titled “Creating a key”curl -X POST https://api.aiand.com/api/v1/keys \ -H "Authorization: Bearer <jwt>" \ -H "X-Org-ID: <org-id>" \ -H "Content-Type: application/json" \ -d '{"name": "production-server"}'Or use the console: Settings → API Keys → Create.
Managing keys
Section titled “Managing keys”| Action | Endpoint |
|---|---|
| List keys | GET /api/v1/keys |
| Create key | POST /api/v1/keys |
| Update key (name, status) | PATCH /api/v1/keys/{key_id} |
| Revoke key | DELETE /api/v1/keys/{key_id} |
All management endpoints require JWT auth and X-Org-ID.
Rotation
Section titled “Rotation”Keys don’t auto-expire. Rotate them when:
- A team member with key access leaves.
- A key is exposed (leaked logs, accidental commit).
- Compliance policy requires periodic rotation.
Create the new key first, deploy it, then revoke the old one — this avoids downtime.