D

API Keys and Scopes

API Keys and Scopes

API keys are tenant-bound credentials. A Personal key is limited to Personal workspaces. An Org key is limited to that Org.

Create a key

Use the Dokki account API key manager or:

POST /api/v1/api-keys

New public API keys default to read scopes. Request only the scopes needed by the integration.

{
  "name": "docs-sync",
  "org_id": "org_uuid",
  "scopes": ["workspace:read", "resource:read", "content:read"]
}

Scope examples

  • workspace:read: list accessible workspaces.

  • resource:read: read resource metadata.

  • content:read: read document, table, or artifact content.

  • content:write: update content.

  • search:read: keyword, semantic, and hybrid search.

  • agent_run:write: start an agent run.

  • share:write: change resource sharing.

  • org_member:write: manage Org membership.

A scope never grants access outside the key tenant or around object permissions.

Rotation

Create a replacement key, deploy it, verify GET /api/v1/me, then revoke the old key. Keep a short overlap window and record the key id, not the secret.