POST /v1/platform/api-keys
Create a new API key. The raw key is returned only once, so store it securely.
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Human-readable name for the key |
workspaceId | uuid | Yes | Workspace to create the key for |
Example Request
curl -X POST https://api.tutorflow.io/v1/platform/api-keys \
-H "Authorization: Bearer tf_platform_..." \
-H "Content-Type: application/json" \
-d '{
"name": "Production Key",
"workspaceId": "workspace-uuid"
}'Response
{
"apiKey": "tf_platform_a1b2c3d4e5f6...",
"keyId": "key-uuid",
"keyPrefix": "tf_platform_",
"name": "Production Key"
}GET /v1/platform/api-keys
List all API keys for a workspace. The raw key is never returned, only the prefix and metadata.
Example Request
curl "https://api.tutorflow.io/v1/platform/api-keys?workspaceId=workspace-uuid" \
-H "Authorization: Bearer tf_platform_..."Response
[
{
"keyId": "key-uuid",
"keyPrefix": "tf_platform_",
"name": "Production Key",
"createdAt": "2026-03-19T10:00:00Z"
}
]POST /v1/platform/api-keys/:id/revoke
Permanently revoke an API key. Any requests using this key will immediately
return 401 Unauthorized.
Example Request
curl -X POST https://api.tutorflow.io/v1/platform/api-keys/KEY_ID/revoke \
-H "Authorization: Bearer tf_platform_..."POST /v1/platform/api-keys/:id/rotate
Rotate a key: atomically revokes the old key and creates a new one with the same name. Returns the new raw key.
Example Request
curl -X POST https://api.tutorflow.io/v1/platform/api-keys/KEY_ID/rotate \
-H "Authorization: Bearer tf_platform_..."Response
{
"apiKey": "tf_platform_new_key_here...",
"keyId": "new-key-uuid",
"keyPrefix": "tf_platform_",
"name": "Production Key"
}