Create API Key

POST/web/v1/workspaces/{workspaceId}/api-keys JWT

Creates a new API key for the specified workspace. The response includes the API key secret, which is only returned once at creation time. Clients must store the secret securely; it cannot be retrieved again.

Required Headers

Header	Example Value	Description
Content-Type	application/json	Request content type
Accept	application/json	Expected response type
X-Client-Hash		Client device fingerprint
Accept-Language	`en`, `zh`, `zh-Hant`, `ja`, `vi`	Response language (default: `en`)
Authorization	Bearer	JWT access token
X-Workspace-Id		Target workspace ID

Request Parameters

Name	Type	Required	In	Description
`workspaceId`	`string`	Required	path	Workspace business ID
`name`	`string`	Required	body	Display name for the API key (1-128 characters)
`scopes`	`string[]`	Optional	body	List of API scope codes to restrict access. If empty, the key has zero access.
`mode`	`integer`	Optional	body	Key mode: `1` = LIVE (default), `2` = TEST (sandbox). Only PARTNER portal can create TEST keys.
`ipWhitelist`	`string[]`	Optional	body	IP whitelist. Supports single IPs (`192.168.1.100`) and CIDR notation (`192.168.1.0/24`). Empty means no IP restriction.

Success Response

Created 201

{
  "version": "1.3.0",
  "timestamp": 1709337600000,
  "success": true,
  "code": "2000",
  "message": "SUCCESS",
  "data": {
    "apiKeyId": "sk_live_abc123",
    "secret": "sk_live_**********",
    "name": "Production Key",
    "status": "ACTIVE",
    "mode": "LIVE",
    "scopes": [
      "payment:read",
      "payment:write"
    ],
    "ipWhitelist": [
      "192.168.1.0/24"
    ],
    "createdAt": "2026-03-21T00:00:00Z"
  }
}

Error Responses

Unauthorized 401

{
  "success": false,
  "code": "4010",
  "message": "Invalid or expired token"
}

Forbidden — not workspace owner 403

{
  "success": false,
  "code": "4030",
  "message": "Only workspace owner can manage API keys"
}

Notes

The secret field is returned only once at creation time. It cannot be retrieved again; prompt the user to save it immediately.
Only workspace OWNERs can create API keys.
If scopes is empty or null, the key will be denied at every API permission check (zero-scope = zero-access).

Create API Key ​

Required Headers ​

Request Parameters ​

Success Response ​

Error Responses ​