Skip to main content
POST
/
admin
/
api-keys
Create an org API key
curl --request POST \
  --url https://{organization_id}.platform.barndoor.ai/api/llm-gateway/admin/api-keys \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "name": "<string>",
  "user_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "user_email": "<string>",
  "scopes": [
    "<string>"
  ],
  "group_name": "<string>",
  "expires_at": "2023-11-07T05:31:56Z"
}
'
{
  "id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "name": "<string>",
  "key_prefix": "<string>",
  "key": "bd-abcd1234ef56...",
  "scopes": [
    "<string>"
  ],
  "created_at": "2023-11-07T05:31:56Z",
  "group_name": "<string>",
  "expires_at": "2023-11-07T05:31:56Z"
}
Creates an organization-managed bd-… API key for the LLM Gateway runtime (/v1/chat/completions, /v1/messages, /v1/embeddings, etc.).
The full key value is returned only in this response. Barndoor stores a one-way hash and cannot reveal the raw key again — copy it immediately, e.g. into your secrets manager or CI environment.
A key is either assigned to a single user or bound to an IdP group, not both. Use the binding to control scope of:

Example: a CI service-account key

curl -X POST https://app.barndoor.ai/api/llm-gateway/admin/api-keys \
  -H "Authorization: Bearer $BARNDOOR_JWT" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "GitHub Actions runner",
    "group_name": "ci",
    "expires_at": "2026-12-31T23:59:59Z"
  }'
The response includes the raw key. From that point on, callers can use it as: 
curl https://app.barndoor.ai/api/llm-gateway/v1/chat/completions \
  -H "Authorization: Bearer bd-..." \
  -H "Content-Type: application/json" \
  -d '{ "model": "gpt-4o-mini", "messages": [...] }'
To rotate a key, create a new one and revoke the old one with DELETE /admin/api-keys/{id}.

Authorizations

Authorization
string
header
required

JWT obtained through Barndoor's authentication flow. Pass the token verbatim in Authorization: Bearer <token>. Use the Barndoor SDK's loginInteractive() helper to obtain a token in scripts and notebooks.

Body

application/json
name
string
required
user_id
string<uuid>

Assign the key to a specific user. Mutually exclusive with group_name.

user_email
string

Optional override for the email recorded on the key

scopes
string[]
group_name
string

Bind the key to an IdP group. Members of the group share the group-scoped budgets, rate limits, and access policies. Mutually exclusive with user_id.

expires_at
string<date-time> | null

Response

The newly created key (only response that contains the raw key)

id
string<uuid>
required
name
string
required
key_prefix
string
required
key
string
required

The raw API key. Returned only at creation time and never stored in plaintext — copy it immediately. Use this value as Authorization: Bearer <key> (or x-api-key: <key>) on requests to /v1/chat/completions, /v1/messages, and friends.

Example:

"bd-abcd1234ef56..."

scopes
string[]
required
created_at
string<date-time>
required
group_name
string | null
expires_at
string<date-time> | null