Actuator

Appearance

API keys

API keys are bearer tokens scoped to an organization. Mint them in the dashboard or via the API; pass them on every request as Authorization: Bearer act_….

The ApiKeySummary object never carries a raw token — only a prefix (the first few characters) for UI recognition:

json
{
  "id": "9f7a32b5-…",
  "name": "ci-bot",
  "prefix": "act_a1b2",
  "rateLimitPerMin": 60,
  "expiresAt": "2027-04-12T10:00:00Z",
  "createdAt": "2026-04-12T10:00:00Z",
  "revokedAt": null
}

Scopes

API keys ship with a fixed admin-equivalent scope today — they can read and write every flag, config, segment, project, environment, and audit row in their organization. Org-management actions (creating orgs, deleting orgs, minting other API keys, changing member roles) remain session-only.

Per-key rate limits are configurable at mint time (default 60 req/min, max 10000, capped by the org's maxRateLimitPerMin). Every authenticated bearer response carries X-RateLimit-{Limit, Remaining, Reset} headers; a 429 carries Retry-After: <seconds>.

List API keys

http
GET /api/v1/orgs/{slug}/api-keys

Returns every API key minted in the org, including revoked ones (kept for history).

Response: 200 → ApiKeySummary[]

Mint an API key

http
POST /api/v1/orgs/{slug}/api-keys
Cookie: actuator_session=…
Content-Type: application/json

{
  "name": "ci-bot",
  "expiresInSeconds": 31536000,
  "rateLimitPerMin": 120
}

Session-authenticated, admin or owner.

The raw token is returned once in the response — store it immediately. The server stores only a SHA-256 hash; the token cannot be recovered after this response.

expiresInSeconds is optional (1 to 31536000 = 365 days). Omit for non-expiring. rateLimitPerMin is optional (1 to min(10000, org.maxRateLimitPerMin); defaults to min(60, org.maxRateLimitPerMin)).

Response: 201 → ApiKeyMintResponse

json
{
  "id": "9f7a32b5-…",
  "name": "ci-bot",
  "prefix": "act_a1b2",
  "rateLimitPerMin": 120,
  "expiresAt": "2027-04-12T10:00:00Z",
  "createdAt": "2026-04-12T10:00:00Z",
  "token": "act_a1b2c3d4e5f6…"
}

Errors: 400 invalid_request, 403 insufficient_role, 404 not_found.

Revoke an API key

http
DELETE /api/v1/orgs/{slug}/api-keys/{id}
Cookie: actuator_session=…

Session-authenticated, admin or owner. Idempotent — re-revoking returns 204 either way. Subsequent requests with the revoked token return 401.

Response: 204 No ContentErrors: 403 insufficient_role, 404 not_found.