API Keys and Scopes
API keys are tenant-bound credentials. A Personal key is limited to Personal workspaces. An Org key is limited to that Org.
Create a key
Use the Dokki account API key manager or:
POST /api/v1/api-keys
New public API keys default to read scopes. Request only the scopes needed by the integration.
{
"name": "docs-sync",
"org_id": "org_uuid",
"scopes": ["workspace:read", "resource:read", "content:read"]
}Scope examples
workspace:read: list accessible workspaces.resource:read: read resource metadata.content:read: read document, table, or artifact content.content:write: update content.search:read: keyword, semantic, and hybrid search.agent_run:write: start an agent run.share:write: change resource sharing.org_member:write: manage Org membership.
A scope never grants access outside the key tenant or around object permissions.
Rotation
Create a replacement key, deploy it, verify GET /api/v1/me, then revoke the old key. Keep a short overlap window and record the key id, not the secret.