Skip to content
Infrastructure API

API keys

Mint a project-bound fvpn_v1_ API key in the console, make your first authenticated /platform/v1 call, and manage the key's lifecycle.

API keys are the server-to-server credential for the /platform/v1 plane: a single fvpn_v1_… secret you send as a Bearer token. Keys are

  • project-bound — a key authenticates only inside the project it was minted in; pairing it with any other X-Project-Id is a 401;
  • hashed at rest — the platform stores a SHA-256 hash, never the secret;
  • shown exactly once — the plaintext secret appears in the mint (or rotate) response and is never retrievable again.

1. Mint a key in the console

In the console, open your project and go to Platform → Settings → API keys (/console/p/{project}/platform/settings/api-keys). Create a key, give it a recognizable name (ci-deploy, billing-sync), and copy the secret from the one-time reveal — once you close it, only the display prefix (fvpn_v1_ab12…cd34) remains visible.

Prefer the API? The same operation is POST /platform/v1/api-keys with your console session's Bearer token:

curl -X POST https://api.fvpn.net/platform/v1/api-keys \
  -H "Authorization: Bearer $STAFF_TOKEN" \
  -H "X-Project-Id: $FVPN_PROJECT_ID" \
  -H "Content-Type: application/json" \
  -d '{"name":"ci-deploy"}'

The response carries the redacted key row plus the one-time secret:

{
  "key": {
    "id": "8b9c1a2e-…",
    "name": "ci-deploy",
    "key_prefix": "fvpn_v1_ab12…cd34",
    "created_at": "2026-07-08T09:00:00Z",
    "last_used_at": null
  },
  "secret": "fvpn_v1_<96 hex characters>"
}

Store the secret now — it is shown exactly once.

2. First authenticated call

Use the key anywhere a /platform/v1 Bearer token is accepted:

curl https://api.fvpn.net/platform/v1/api-keys \
  -H "Authorization: Bearer $FVPN_API_KEY" \
  -H "X-Project-Id: $FVPN_PROJECT_ID"

A 200 with the project's redacted key list confirms the funnel end to end. The same call in every SDK is the first example of each quickstart.

3. Key lifecycle

OperationEndpointNotes
ListGET /platform/v1/api-keysRedacted rows only — key_prefix, never the secret
RotatePOST /platform/v1/api-keys/{id}/rotateA fresh secret is returned once; the old secret is a 401 immediately
RevokeDELETE /platform/v1/api-keys/{id}Immediate — the key stops authenticating at once

Last use is tracked. Each row's last_used_at records when the key last authenticated a request (updated at most once per minute per key, so steady-state traffic doesn't hot-write the row). Watch it to find stale keys worth revoking — and rotate keys on your own schedule; rotation is designed to be routine, not an emergency procedure.

Reference

The full request/response shapes live in the generated API reference under platform-api-keys. The mint → call → revoke funnel on this page is executed verbatim by scripts/quickstart-verify/api-key-auth.sh in the repository.