API Keys Management
Manage API keys for your projects via the Developer API. API keys are scoped to individual projects and inherit the project’s security settings.
Endpoints
List API Keys
Retrieve all API keys for the authenticated user.
Headers:
Response (200 OK)
[
{
"id": "key_abc123",
"name": "Production API",
"prefix": "pg_xxxx",
"project_id": "proj_abc123",
"is_active": true,
"created_at": "2025-01-15T10:30:00Z",
"last_used_at": "2025-02-01T14:22:00Z"
},
{
"id": "key_def456",
"name": "Staging API",
"prefix": "pg_yyyy",
"project_id": "proj_abc123",
"is_active": true,
"created_at": "2025-01-20T08:15:00Z",
"last_used_at": null
}
]
Full API key values are never returned in list responses. Use the Reveal endpoint to retrieve the full key. Create API Key
Create a new API key for the current user.
Request Body
{
"name": "Production API",
"project_id": "proj_abc123"
}
| Parameter | Type | Required | Description |
|---|
name | string | Yes | Descriptive name for the key |
project_id | string | Yes | Project to associate the key with |
{
"id": "key_abc123",
"name": "Production API",
"key": "pg_live_abc123def456ghi789...",
"project_id": "proj_abc123",
"is_active": true,
"created_at": "2025-01-15T10:30:00Z"
}
The key field is only returned once during creation. Store it securely — you won’t be able to see it again.
| Plan | Max API Keys per Project |
|---|
| Free | 1 |
| Pro | 10 |
| Scale | Unlimited |
Delete API Key
Permanently delete an API key. This immediately revokes access.
DELETE /api/v1/api-keys/{key_id}
| Parameter | Type | In | Description |
|---|
key_id | string | Path | ID of the key to delete |
{
"message": "API key deleted successfully"
}
Toggle API Key Status
Enable or disable an API key without deleting it.
PUT /api/v1/api-keys/{key_id}/toggle
| Parameter | Type | In | Description |
|---|
key_id | string | Path | ID of the key to toggle |
{
"id": "key_abc123",
"name": "Production API",
"is_active": false,
"message": "API key deactivated"
}
Use toggle instead of delete when you want to temporarily disable a key (e.g., during incident response) without losing the key configuration.
Reveal API Key
Retrieve the full API key value. Use this to copy a key you’ve previously created.
GET /api/v1/api-keys/{key_id}/reveal
| Parameter | Type | In | Description |
|---|
key_id | string | Path | ID of the key to reveal |
{
"id": "key_abc123",
"key": "pg_live_abc123def456ghi789..."
}
Code Examples
import requests
import os
api_key = os.environ.get("PROMPTGUARD_API_KEY")
base_url = "https://api.promptguard.co/api/v1/api-keys"
headers = {
"X-API-Key": api_key,
"Content-Type": "application/json"
}
# List all API keys
response = requests.get(base_url, headers=headers)
keys = response.json()
for key in keys:
print(f"{key['name']}: {key['prefix']}... (active: {key['is_active']})")
# Create a new API key
response = requests.post(base_url, headers=headers, json={
"name": "Backend Service",
"project_id": "proj_abc123"
})
new_key = response.json()
print(f"New key: {new_key['key']}") # Save this!
# Toggle a key off
requests.put(f"{base_url}/{new_key['id']}/toggle", headers=headers)
# Delete a key
requests.delete(f"{base_url}/{new_key['id']}", headers=headers)
const apiKey = process.env.PROMPTGUARD_API_KEY;
const baseUrl = 'https://api.promptguard.co/api/v1/api-keys';
const headers = {
'X-API-Key': apiKey,
'Content-Type': 'application/json'
};
// List all API keys
const keys = await fetch(baseUrl, { headers }).then(r => r.json());
keys.forEach(key => {
console.log(`${key.name}: ${key.prefix}... (active: ${key.is_active})`);
});
// Create a new API key
const newKey = await fetch(baseUrl, {
method: 'POST',
headers,
body: JSON.stringify({
name: 'Backend Service',
project_id: 'proj_abc123'
})
}).then(r => r.json());
console.log(`New key: ${newKey.key}`); // Save this!
// Toggle a key off
await fetch(`${baseUrl}/${newKey.id}/toggle`, {
method: 'PUT',
headers
});
// Delete a key
await fetch(`${baseUrl}/${newKey.id}`, {
method: 'DELETE',
headers
});
# List all API keys
curl https://api.promptguard.co/api/v1/api-keys \
-H "X-API-Key: $PROMPTGUARD_API_KEY"
# Create a new API key
curl -X POST https://api.promptguard.co/api/v1/api-keys \
-H "X-API-Key: $PROMPTGUARD_API_KEY" \
-H "Content-Type: application/json" \
-d '{"name": "Backend Service", "project_id": "proj_abc123"}'
# Toggle API key status
curl -X PUT https://api.promptguard.co/api/v1/api-keys/{key_id}/toggle \
-H "X-API-Key: $PROMPTGUARD_API_KEY"
# Reveal full API key
curl https://api.promptguard.co/api/v1/api-keys/{key_id}/reveal \
-H "X-API-Key: $PROMPTGUARD_API_KEY"
# Delete API key
curl -X DELETE https://api.promptguard.co/api/v1/api-keys/{key_id} \
-H "X-API-Key: $PROMPTGUARD_API_KEY"
Error Responses
| Status | Code | Description |
|---|
| 400 | key_limit_reached | Maximum API keys for your plan reached |
| 401 | unauthorized | Invalid or missing API key |
| 404 | not_found | API key ID not found |
Best Practices
- Name keys descriptively — Use names like “Production Backend” or “Staging Cron Job” so you can identify them later
- One key per service — Don’t share keys between applications
- Rotate every 90 days — Create new key → update apps → delete old key
- Use toggle for incidents — Disable a compromised key immediately without losing the configuration
- Monitor last_used_at — Delete keys that haven’t been used in a while
