/v1 API. A key belongs to one account, one region, and one set of scopes.
Access
Members can inspect key metadata but management actions are disabled.
Create a key
1
Open API keys
From the dashboard, open API keys for the selected account.
2
Name the key
Use a clear name such as
production-worker-us or ci-smoke-tests. Names
can be up to 100 characters.3
Choose scopes
Pick a preset or use custom scope triples.
4
Optional: add expiry and IPs
Set an expiration date or an IP allowlist. If no IPs are set, all client IPs
are allowed.
5
Store the key
Copy the full
bye_... key before closing the dialog. It cannot be
retrieved later.Permission presets
Scope reference
IP allowlists
Use IP allowlists for fixed server workloads or CI runners.- Up to 50 entries per key.
- Each entry can be up to 45 characters.
nullallowlist means all IPs are allowed.- Disallowed clients receive
BSE1007with typeip_not_allowed.
Rotate a key
Rotation creates a new key with the same scopes and IP allowlist. The old key stays valid during the grace period.1
Rotate in the dashboard
Open the key action menu and choose Rotate.
2
Deploy the new key
Store the new value in your secret manager and deploy it to all consumers.
3
Wait for the grace period
Confirm logs show traffic from the new key prefix.
4
Revoke the old key if needed
Revoke early if you are responding to exposure or no longer need the
overlap.
Revoke vs delete
What is logged
Every API request records key usage metadata:- key prefix
- endpoint and method
- status code
- error code
- idempotency replay flag
- sanitized query parameters
- SHA-256 IP hash
- user agent
- timestamp
