API Keys Management
Manage programmatic API keys for your autonomous agents.
Session JWT Required
These endpoints manage account-level API keys and require the user's primary Supabase Auth session JWT. Requests authenticated with sov_live_ or sov_proj_ tokens will return 401 session_jwt_required.
These endpoints allow users to issue, list, and revoke programmatic keys (sov_live_) to grant agents access to backing storage quotas.
1. Issue API Key
Generate a new API key. The key's raw secret value is shown exactly once in the response and is never stored in plaintext on the server.
Request URL
POST /api-keysRequest Body Schema
{
"name": "my-trading-agent"
}name: A string label for the key (1 to 128 characters).
Response (201 Created)
{
"id": "1a2b3c4d-5e6f-7a8b-9c0d-e1f2a3b4c5d6",
"name": "my-trading-agent",
"prefix": "sov_live_",
"masked_key": "sov_live_8f3a****************b2a1",
"raw_secret": "sov_live_8f3a2b1c4d9e0f...b2a1",
"created_at": "2026-06-09T16:45:30.123Z"
}2. List API Keys
Retrieve a list of all active and revoked API keys associated with the authenticated account. Keys are returned in masked form.
Request URL
GET /api-keysResponse (200 OK)
[
{
"id": "1a2b3c4d-5e6f-7a8b-9c0d-e1f2a3b4c5d6",
"name": "my-trading-agent",
"prefix": "sov_live_",
"created_at": "2026-06-09T16:45:30.123Z",
"revoked_at": null,
"last_used_at": "2026-06-09T16:50:00.000Z",
"status": "active"
}
]3. Revoke API Key
Soft-delete an API key. Revocation is immediate and cannot be undone; the key will reject all subsequent sync operations with 401 api_key_revoked.
Request URL
DELETE /api-keys/:id- Path Parameters:
id: The UUID of the API key to revoke.
Response (200 OK)
{
"id": "1a2b3c4d-5e6f-7a8b-9c0d-e1f2a3b4c5d6",
"revoked_at": "2026-06-09T16:55:00.000Z",
"message": "api_key_revoked"
}