API keys
Programmatic access for CI/CD and automation.
Create
Account → API keys → Generate. Modal asks for:
- Name (e.g. "GitHub Actions").
- Scopes (read / write / agent / admin).
- Expiry (1 day / 1 month / 1 year / never).
The key is shown once. Copy it now — it's not stored in plaintext, it's hashed server-side.
Format
kf_<env>_<random>e.g. kf_live_abc123def456… (production) or kf_test_… (test environments).
The prefix lets you tell at a glance which environment a leaked key belongs to.
Use
In any HTTP request:
Authorization: Bearer kf_live_…Or as ?api_key=… on GET endpoints (less secure — only for browser-restricted contexts).
List
GET /api/account/api-keys returns your keys with prefix-only (kf_live_abc1***), scopes, expiry, last-used timestamp.
Revoke
DELETE /api/account/api-keys/<key_id> — immediate. Any in-flight request using the key fails on next check.
Once revoked, can't be undone.
Scopes
| Scope | Endpoints |
|---|---|
read | GET /api/project/*, GET /api/agent/history. |
write | All read + file write endpoints. |
agent | All write + can run agent (spends budget). |
admin | All agent + workspace settings, secrets, account-level. |
Always grant the narrowest scope that does the job.
Rate limits
Per key:
- 600 requests / minute.
- 10 concurrent agent runs.
- Hard cap on weekly spend (set per key at creation).
Limits reset on the minute / week boundary.