API keys
Mint a project-bound fvpn_v1_ API key in the console, make your first authenticated /platform/v1 call, and manage the key's lifecycle.
API keys are the server-to-server credential for the /platform/v1 plane: a
single fvpn_v1_… secret you send as a Bearer token. Keys are
- project-bound — a key authenticates only inside the project it was
minted in; pairing it with any other
X-Project-Idis a401; - hashed at rest — the platform stores a SHA-256 hash, never the secret;
- shown exactly once — the plaintext secret appears in the mint (or rotate) response and is never retrievable again.
1. Mint a key in the console
In the console, open your project and go to Platform →
Settings → API keys (/console/p/{project}/platform/settings/api-keys).
Create a key, give it a recognizable name (ci-deploy, billing-sync), and
copy the secret from the one-time reveal — once you close it, only the
display prefix (fvpn_v1_ab12…cd34) remains visible.
Prefer the API? The same operation is POST /platform/v1/api-keys with your
console session's Bearer token:
curl -X POST https://api.fvpn.net/platform/v1/api-keys \
-H "Authorization: Bearer $STAFF_TOKEN" \
-H "X-Project-Id: $FVPN_PROJECT_ID" \
-H "Content-Type: application/json" \
-d '{"name":"ci-deploy"}'The response carries the redacted key row plus the one-time secret:
{
"key": {
"id": "8b9c1a2e-…",
"name": "ci-deploy",
"key_prefix": "fvpn_v1_ab12…cd34",
"created_at": "2026-07-08T09:00:00Z",
"last_used_at": null
},
"secret": "fvpn_v1_<96 hex characters>"
}Store the secret now — it is shown exactly once.
2. First authenticated call
Use the key anywhere a /platform/v1 Bearer token is accepted:
curl https://api.fvpn.net/platform/v1/api-keys \
-H "Authorization: Bearer $FVPN_API_KEY" \
-H "X-Project-Id: $FVPN_PROJECT_ID"A 200 with the project's redacted key list confirms the funnel end to end.
The same call in every SDK is the first example of each
quickstart.
3. Key lifecycle
| Operation | Endpoint | Notes |
|---|---|---|
| List | GET /platform/v1/api-keys | Redacted rows only — key_prefix, never the secret |
| Rotate | POST /platform/v1/api-keys/{id}/rotate | A fresh secret is returned once; the old secret is a 401 immediately |
| Revoke | DELETE /platform/v1/api-keys/{id} | Immediate — the key stops authenticating at once |
Last use is tracked. Each row's last_used_at records when the key last
authenticated a request (updated at most once per minute per key, so
steady-state traffic doesn't hot-write the row). Watch it to find stale keys
worth revoking — and rotate keys on your own schedule; rotation is designed
to be routine, not an emergency procedure.
Reference
The full request/response shapes live in the generated
API reference under platform-api-keys. The mint → call →
revoke funnel on this page is executed verbatim by
scripts/quickstart-verify/api-key-auth.sh in the repository.