Create an API key
Mint a new key. The full secret is returned once, in this response only — store it immediately. Afterwards only its prefix and last four characters are visible.
POST
/v1/api-keysKeys are account (tenant) resources. By default a key is account-wide; pass senderId to lock it to a single project. The wire form of the secret is <keyPrefix>_<secret> — send it whole as the bearer token.
01 Body parameters
namestringRequired
A label to recognize the key by, shown in the dashboard.
senderIdstringOptional
Scope the key to one project. Must be a project in your account. Omit for an account-wide key (callers then name the project per-request with the
X-Drin-Product header).scopesstring[]Optional
Permission scopes to grant (e.g.
emails:send). Omit for a key with the account's default permissions.02 Request
curl https://api.drin.run/v1/api-keys \
-H "Authorization: Bearer $DRIN_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "production",
"scopes": ["emails:send"]
}'03 Response
Returns 201 Created. The secret field is present only here; every other endpoint returns the key without it. Persist secret before discarding the response.
{
"id": "ak_7Yq3Lm",
"name": "production",
"keyPrefix": "drin_a1b2c3d4e5f6",
"last4": "1a2b",
"senderId": null,
"senderExternalId": null,
"scopes": ["emails:send"],
"lastUsedAt": null,
"revokedAt": null,
"createdAt": "2026-06-02T10:00:00.000Z",
"secret": "drin_a1b2c3d4e5f6_9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c"
}The secret is shown onceIf you lose it, you can't recover it — there is no endpoint that re-reveals a secret. Revoke the key and create a new one.
Foreign projectA
senderId that doesn't belong to your account returns 422 validation_error.