Docs API ReferenceAPI Keys

API Keys

Create and manage API keys with granular permissions

Endpoints

API key management endpoints

GET/api-keysList all API keys

POST/api-keysCreate a new API key

GET/api-keys/{id}Get API key details

PUT/api-keys/{id}Update API key

DELETE/api-keys/{id}Revoke API key

POST/api-keys/{id}/rotateRotate API key

The API Key Object

Field	Type	Description
id	string	Unique API key identifier
name	string	Display name for the key
key	string	Full API key (only shown on creation)
keyPrefix	string	First 12 characters for identification
scopes	array	Permissions granted to this key
createdAt	string	ISO 8601 creation timestamp
expiresAt	string	Expiration date (null = never expires)
lastUsedAt	string	Last time key was used

Available Scopes

API keys use scopes to limit what actions they can perform. Always use the minimum required scopes.

orders:readRead order data

orders:writeCreate and update orders

products:readRead product catalog

products:writeManage products

inventory:readRead inventory levels

inventory:writeUpdate inventory

commissions:readView commissions

webhooks:readList webhooks

webhooks:writeManage webhooks

Create an API Key

POST/api-keys

Create a new API key with specific scopes and optional expiration date.

Store your key securely

The full API key is only shown once when created. Store it securely - you cannot retrieve it later.

curl -X POST "https://gateway.regentherapy.com/api/v1/api-keys" \
  -H "X-API-Key: rg_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production Integration",
    "scopes": ["orders:read", "orders:write", "products:read", "inventory:read"],
    "expiresAt": "2025-01-20T00:00:00Z"
  }'

List API Keys

GET/api-keys

Retrieve all API keys for your account. Note: The full key value is never returned in list operations.

curl -X GET "https://gateway.regentherapy.com/api/v1/api-keys" \
  -H "X-API-Key: rg_your_api_key" \
  -H "Content-Type: application/json"

Rotate API Key

POST/api-keys/{id}/rotate

Generate a new key value while keeping the same configuration. The old key remains valid for 5 minutes to allow for graceful migration.

curl -X POST "https://gateway.regentherapy.com/api/v1/api-keys/key_abc123/rotate" \
  -H "X-API-Key: rg_your_api_key" \
  -H "Content-Type: application/json"

Security Best Practices

Minimum scopes: Only request the scopes your integration actually needs.

Set expiration: Use expiration dates for keys that don't need to be permanent.

Rotate regularly: Rotate keys periodically, especially if team members leave.

Environment variables: Never commit API keys to source control.

Monitor usage: Check lastUsedAt to identify unused keys for cleanup.

Webhooks API Authentication