Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.swisstools.dev/llms.txt

Use this file to discover all available pages before exploring further.

API keys allow your application to authenticate against the Swisstools Feature Flags SDK endpoint (GET /api/flags/:recordId) without a user session. Each key is scoped to the project it was created in — it can only resolve flag values for records that belong to that project. The raw key value is returned only once at creation time and is never retrievable again. After creation, the dashboard shows only a short prefix (e.g., fk_2a9bX1c…) so you can identify keys without exposing the full secret. All API key management endpoints require session authentication. See Authentication for details.

List API Keys

GET /api/projects/:projectId/api-keys Returns all API keys for the project. The rawKey field is not included in list responses — only the prefix and metadata are returned. Path Parameters
projectId
string
required
The project’s public reference ID (KSUID), shown in Project settings → General.
Request 
curl https://swisstools.dev/api/projects/3DS7IwHB2HHfSP61DzDHVTXt7KK/api-keys \
  -b cookies.txt
Response 
[
  {
    "id": "018ec2ad-9e1f-5a6b-c7d8-0e1f2a3b4c5d",
    "projectId": "018e5a3b-2d4e-8c9f-a0b1-3c4d5e6f7a8b",
    "name": "Production",
    "keyPrefix": "fk_2a9bX1c",
    "expiresAt": null,
    "lastUsedAt": "2024-04-01T14:22:00.000Z",
    "revokedAt": null,
    "createdAt": "2024-02-20T10:00:00.000Z"
  }
]

Create API Key

POST /api/projects/:projectId/api-keys Creates a new API key for the project and returns the full key value. Store it immediately — this is the only time the complete key is shown. Path Parameters
projectId
string
required
The project’s public reference ID (KSUID), shown in Project settings → General.
Request Body
name
string
required
A label for the key (e.g., Production, CI, Staging). Helps you identify keys in the dashboard.
expiresAt
string
Optional ISO 8601 expiration timestamp. Omit or send null for a key that never expires; past timestamps are rejected with 400.
Request 
curl -X POST https://swisstools.dev/api/projects/3DS7IwHB2HHfSP61DzDHVTXt7KK/api-keys \
  -b cookies.txt \
  -H "Content-Type: application/json" \
  -d '{"name": "Production", "expiresAt": "2026-06-07T00:00:00.000Z"}'
Response201 Created 
{
  "id": "018ec2ad-9e1f-5a6b-c7d8-0e1f2a3b4c5d",
  "projectId": "018e5a3b-2d4e-8c9f-a0b1-3c4d5e6f7a8b",
  "name": "Production",
  "rawKey": "fk_2a9bX1c0d3e4f5g6h7i8j9k0",
  "keyPrefix": "fk_2a9bX1c",
  "expiresAt": null,
  "lastUsedAt": null,
  "revokedAt": null,
  "createdAt": "2024-02-20T10:00:00.000Z"
}
The key field is returned only in this creation response. Swisstools stores only a hash of the key and cannot recover the original value. Copy it to a secure location (such as a secrets manager or environment variable) before leaving this screen.

Revoke API Key

DELETE /api/projects/:projectId/api-keys/:keyId Immediately revokes the key. Any requests made with this key after revocation will be rejected with 401 Unauthorized. This action cannot be undone — create a new key if you need to replace it. Path Parameters
projectId
string
required
The project’s public reference ID (KSUID), shown in Project settings → General.
keyId
string
required
The id (UUID) of the API key to revoke, from the list response.
Request 
curl -X DELETE https://swisstools.dev/api/projects/3DS7IwHB2HHfSP61DzDHVTXt7KK/api-keys/018ec2ad-9e1f-5a6b-c7d8-0e1f2a3b4c5d \
  -b cookies.txt
Response 
{"success": true}

API Key Object

id
string
UUID that uniquely identifies the API key record. Used as :keyId when revoking.
projectId
string
Internal ID of the project this key is scoped to.
name
string
The label you gave the key when you created it.
rawKey
string
The full API key string, prefixed with fk_. Only present in the creation response.
keyPrefix
string
The first 10 characters of the key (e.g., fk_2a9bX1c). Shown in list responses to help identify keys without exposing the secret.
expiresAt
string
ISO 8601 timestamp when the key expires, or null if it never expires.
lastUsedAt
string
ISO 8601 timestamp of the most recent authenticated request using this key, or null if the key has never been used.
revokedAt
string
ISO 8601 timestamp of when the key was revoked, or null if it is still active.
createdAt
string
ISO 8601 timestamp of when the key was created.