API key restrictions
Lock an API key down to exactly what it needs: a set of scopes, an IP allow-list and an expiry.
Scopes
A key can be limited to a subset of scopes. A request with a key missing the required scope returns 403. A key created with no scopes has full access. Session tokens (the dashboard) always have full access.
| Scope | Grants |
|---|---|
servers:read | List/get servers, resources |
servers:write | Deploy, resize, delete |
servers:power | Power signals, commands, console |
files:read | List, read, download files |
files:write | Write, delete files |
billing:read | Balance, transactions, invoices, budget |
billing:write | Checkout, change budget |
keys:write | Create / revoke API keys |
IP allow-list
Restrict a key to specific source IPs. Entries can be exact IPs or prefixes (e.g. 10.0.0. matches a subnet). A request from any other address returns 403. Leave empty to allow any IP.
Expiry
Set expiresInDays to make a key stop working after a deadline — ideal for CI tokens or temporary integrations. Expired keys return 401.
Create a restricted key
bashPOST /v1/keys { "name": "ci-deploy", "scopes": ["servers:read", "servers:write"], "allowedIps": ["203.0.113.4"], "expiresInDays": 90 } → { "id": "...", "secret": "ak_live_...", "message": "Store this secret now." }
The secret is returned once. List keys (with their restrictions) at GET /v1/keys.
See Authentication for how keys are verified on every request.