--- title: "ApiKey" description: "The `ApiKey` entity." section: "Reference" group: "Types" order: 14 --- ## Definition ```ts interface ApiKey { id: string; workspaceId: string; type: "private" | "public" | "session"; name: string; keyHint: string; expiresAt: string | null; createdBy: string; ownerUserId: string | null; createdAt: string; lastUsedAt: string | null; scopes?: | { operations?: Array | undefined; entityIds?: Array | undefined; } | null | undefined; } ``` ## Fields | Field | Type | Notes | | ------------- | ----------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `id` | `string` | `readonly` `required` | | `workspaceId` | `string` | `required` — Workspace this key belongs to. | | `type` | `"private" \| "public" \| "session"` | `required` — Key type — 'private' for server-side use, 'public' for clients. | | `name` | `string` | `required` — Human-readable label for the key. | | `keyHint` | `string` | `required` — Last few characters of the key, safe to display for identification. | | `expiresAt` | `string \| null` | `required` — ISO-8601 timestamp after which the key is rejected; null = no expiry. | | `createdBy` | `string` | `required` — User who issued the key. | | `ownerUserId` | `string \| null` | `required` — User this key authenticates as — what `verifyApiKey` returns as the caller identity. Null falls back to `createdBy`. Splitting owner from creator lets a workspace admin issue keys that act as the workspace's headless service user (or any other workspace member) without losing the creator audit trail. | | `createdAt` | `string` | `readonly` `required` — ISO-8601 timestamp of creation. | | `lastUsedAt` | `string \| null` | `required` — ISO-8601 timestamp of the most recent successful use. | | `scopes` | `{ operations?: Array \| undefined; entityIds?: Array \| undefined; } \| null \| undefined` | `optional` — Restricts what this key may do; null/empty means full access within its key type. |