API Key Authentication
API keys provide long-lived authentication for programmatic access.
Key Format
API keys follow the format: ss_key_<random-string>
Keys are hashed before storage and cannot be retrieved after creation.
Endpoints
List Keys
GET /api-keys
Authorization: Bearer <jwt-token>
Generate Key
POST /api-keys
Authorization: Bearer <jwt-token>
Content-Type: application/json
{
"name": "CI Pipeline",
"expiresAt": "2027-01-01T00:00:00Z"
}
Revoke Key
DELETE /api-keys/:keyId
Authorization: Bearer <jwt-token>
Using API Keys
Include the key as a Bearer token:
curl -H "Authorization: Bearer ss_key_abc123..." \
https://api.surestage.com/v1/instances
Security Considerations
- Store keys securely (environment variables, secret managers)
- Set expiration dates for all keys
- Use the minimum required scope
- Rotate keys periodically
- Revoke compromised keys immediately