API Keys
API keys are service-principal credentials for customer-owned automation. API key management endpoints require a user subject. A token that is itself an API key cannot create, reveal, list, or delete API keys.Management Flow
- Authenticate with a user JWT.
POST /integrations/api-keysto create a key.- Store the returned key immediately. It is secret material.
- Use
Authorization: Bearer bzy_live_...for server-to-server requests. - Rotate and delete unused keys with the management endpoints.
Safety Expectations
- Store keys only in secret managers or equivalent encrypted configuration.
- Do not log full key values.
- Prefer one key per integration or automation owner.
- Delete keys immediately when an integration is retired.
packages/backend/src/orpc/router/api-keys.ts