API Keys
Maintained by: Aether365 Team Audience: Developers Scope: API key management endpoints
API keys are used to authenticate requests to the REST API without a user session.
Each API key is bound to the tenant account that created it. API keys have the same access as a team member - they can read and write all tenant data but cannot change billing or plan settings.
List API Keys
Returns all active API keys for the tenant.
GET /tenants/me/api-keysINFO
For security, the full key value is only returned once - at creation time. Subsequent list requests show only the key prefix and metadata.
Example Request
bash
curl https://api.aether365.io/tenants/me/api-keys \
-H "Authorization: Bearer <token>"Example Response
json
{
"success": true,
"data": [
{
"id": "key_abc123",
"name": "CI pipeline",
"prefix": "ae_live_abc1",
"createdAt": "2026-03-01T09:00:00Z",
"lastUsedAt": "2026-04-10T14:23:00Z"
}
]
}Response Fields
| Field | Type | Description |
|---|---|---|
id | string | Key identifier |
name | string | Display name |
prefix | string | First 12 characters of the key (for identification) |
createdAt | string | ISO 8601 timestamp |
lastUsedAt | string or null | ISO 8601 timestamp of last authenticated request |
Create an API Key
Creates a new API key. The full key value is returned once and cannot be retrieved again.
POST /tenants/me/api-keysRequest Body
json
{
"name": "CI pipeline"
}| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Display name for the key |
Example Request
bash
curl -X POST https://api.aether365.io/tenants/me/api-keys \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"name": "CI pipeline"}'Example Response
json
{
"success": true,
"data": {
"id": "key_abc123",
"name": "CI pipeline",
"key": "ae_live_abc123xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"prefix": "ae_live_abc1",
"createdAt": "2026-04-12T10:00:00Z",
"lastUsedAt": null
}
}Store the key immediately
The key field is only returned in this response. It cannot be retrieved later. Store it in a secrets manager (GitHub Actions secrets, HashiCorp Vault, etc.) immediately.
Delete an API Key
Permanently revokes an API key. Any requests using this key will return 401 immediately.
DELETE /tenants/me/api-keys/{keyId}Example Request
bash
curl -X DELETE https://api.aether365.io/tenants/me/api-keys/key_abc123 \
-H "Authorization: Bearer <token>"Example Response
json
{
"success": true,
"data": null
}Using an API Key
Pass the API key as a Bearer token in the Authorization header:
bash
curl https://api.aether365.io/tenants/me/scans \
-H "Authorization: Bearer ae_live_abc123xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"API keys work the same way as session tokens for all endpoints. They do not expire, but you can rotate them by creating a new key and deleting the old one.
Rate Limits
The API is rate-limited to 120 requests per minute per API key. Requests that exceed the rate limit receive a 429 Too Many Requests response. The response includes a Retry-After header indicating when you can retry.