API keys enable non-interactive authentication for the Ghostly SDK, CLI pipelines, and MCP integrations. Instead of a session JWT, clients include the key in anDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/Meza-dev/Ghostly/llms.txt
Use this file to discover all available pages before exploring further.
X-Api-Key header with every request. All three management endpoints in this group — list, create, and delete — require an active JWT session to call. This design means you must be logged in to the dashboard (or use another privileged mechanism) to issue or revoke keys.
Keys generated by the
ghostly keygen CLI command are stored locally in ~/.ghostly/auth.json on your machine and are not managed by these endpoints. The /v1/api-keys endpoints exclusively manage keys issued through the dashboard.GET /v1/api-keys — List all API keys
Returns all API keys that belong to the authenticated user. For security, only the first 8 characters of each key are returned — the rest is replaced with••••••••.
Authentication
Requires a valid JWT in theAuthorization: Bearer <token> header.
Response — 200 OK
Returns a JSON array. Each element represents a stored key.UUID that uniquely identifies this key record.
The human-readable name assigned when the key was created.
The masked key value: the first 8 characters followed by
•••••••• (e.g. "a1b2c3d4••••••••"). The full key is never returned by this endpoint.ISO 8601 timestamp of key creation.
curl example
Example response
POST /v1/api-keys — Create a new API key
Generates a new 64-character hex API key usingrandomBytes(32).toString('hex') and stores it associated with the authenticated user. The full key is only returned in this creation response — it cannot be retrieved again afterwards.
Authentication
Requires a valid JWT in theAuthorization: Bearer <token> header.
Request body
A human-readable name for this key (e.g.
"CI Pipeline", "Local Dev"). Must be a non-empty string after trimming whitespace. Used to identify the key in the list view.Response — 201 Created
The UUID of the newly created key record.
The label as stored (trimmed).
The full, unmasked API key. This is the only time the complete key value is available. Copy and store it immediately.
ISO 8601 creation timestamp.
Example response
curl example
Using the key immediately after creation
DELETE /v1/api-keys/:id — Delete an API key
Permanently revokes a key by its record ID. After deletion, any client using that key will receive a 401 Unauthorized on their next request.Authentication
Requires a valid JWT in theAuthorization: Bearer <token> header.
Path parameters
The UUID of the API key record to delete. Must match a key that belongs to the authenticated user.
Response — 200 OK
Always
true when the key was found and deleted successfully.Response — 404 Not Found
Returned when no key with the givenid exists, or when the key exists but belongs to a different user. The same response shape is used for both cases to prevent key ID enumeration.