API Keys

API keys authenticate all requests to the WebExtract API. Keys follow the format cai_sk_…. The full key is shown only once at creation — store it securely.

Security

Never expose API keys in client-side code, public repositories, or browser requests. Use server-side environments (environment variables, secrets managers) exclusively.

POST/api/keys

Create a new API key. The full key value is only returned in this response.

Request body

{ "name": "production-server" }

Response201 Created

{
  "success": true,
  "key": "cai_sk_••••••••••••••••••••",
  "prefix": "cai_sk_••••",
  "name": "production-server",
  "warning": "Store this key securely — it won't be shown again."
}

GET/api/keys

List all active API keys for your account. Key values are never returned — only the prefix and metadata.

Response200 OK

{
  "success": true,
  "keys": [{
    "id": "…",
    "name": "production-server",
    "keyPrefix": "cai_sk_••••",
    "lastUsedAt": "2026-03-14T08:22:00Z",
    "createdAt": "2026-01-01T00:00:00Z"
  }]
}

DELETE/api/keys/:id

Permanently revoke an API key. Any requests using the revoked key will immediately return 401 Unauthorized.

Warning: Revocation is permanent and cannot be undone. Create a replacement key before revoking.

Quickstart Submit a Crawl