API reference

List API keys

List API keys owned by the account. Review Diffio API behavior, response fields, setup details, and production workflows.

List scoped and dashboard API keys for the authenticated admin account.

POST/v1/api_keys/listPermissions: admin, keys:read

Endpoint

HTTP request

https://api.diffio.ai/v1/api_keys/list

Use POST with a JSON body.

Permissions

admin, keys:read

API keys must be active.

Authentication

Send the API key on every request using one of the supported headers.

Authorization: Bearer <apiKey>
X-Api-Key: <apiKey>
Xi-Api-Key: <apiKey>

Request

Send an empty JSON object. The account is inferred from the authenticated admin key.

This endpoint expects an empty JSON object.

cURL

curl -X POST "https://api.diffio.ai/v1/api_keys/list" \  -H "Authorization: Bearer $DIFFIO_AGENT_KEY" \  -H "Content-Type: application/json" \  -d '{}'

Response

Returns serialized metadata for keys owned by the account.

Response fields

Field	Type	Required	Description
`keys`	array	Yes	List of API key metadata objects.
`keys[].keyId`	string	Yes	API key document id.
`keys[].label`	string	Yes	Stored key label.
`keys[].status`	string	Yes	Key status.
`keys[].keyPrefix`	string	Yes	Display-safe key prefix.
`keys[].role`	string	Yes	Key role.
`keys[].scopes`	array	Yes	Scopes granted to the key.
`keys[].resourceBounds`	object	Yes	Stored resource bounds, or an empty object.

Successful response

{  "keys": [    {      "keyId": "key_child_123",      "label": "Dashboard browser key",      "status": "active",      "keyPrefix": "diffio_live_child",      "role": "scoped",      "scopes": ["projects:read", "generations:read"],      "resourceBounds": {},      "parentKeyId": "key_admin_123",      "createdAt": "2026-05-09T12:00:00Z",      "rotatedAt": null,      "revokedAt": null    }  ]}

Return codes

200Success, treated as complete.: API keys returned.
204Success, treated as empty response.: CORS preflight when method is OPTIONS.
401Unauthorized, treated as auth error.: Missing API key, or invalid API key.
403Forbidden, treated as permission error.: Privileged admin API key required, API key is not active, or missing keys:read permission.
405Client error, treated as fix required.: Method is not POST.
500Server error, treated as retryable.: Failed to list API keys.

Notes

Plaintext key secrets are not returned by this endpoint.
The endpoint lists keys with the same userId as the authenticated admin key.