API keys

Server-to-server credentials for calling the KolayLogin Admin API and for surfacing public endpoints to your client. Two flavors, both minted per-instance from the dashboard.

Key kinds

• Secret — sk_live_* / sk_test_*. Full admin access to the instance. Store server-side only (env var, secret store, CI).
• Publishable — pk_live_* / pk_test_*. Read-only discovery helper — safe to embed in the browser bundle if you need to call the JWKS or public plan list.

Create a key

Dashboard → your app → API keys (per-instance) → New key. Name it something recognizable (e.g. "background workers").

Use it

curl https://api.kolaylogin.com/v1/admin/users \
  -H "Authorization: Bearer sk_live_…"

From Node.js, use createKolayLoginClient:

import { createKolayLoginClient } from '@kolaylogin/backend';

const kolay = createKolayLoginClient({
  // baseUrl defaults to https://api.kolaylogin.com
  secretKey: process.env.KL_SECRET_KEY!, // sk_live_...
});

const { users } = await kolay.users.list({ limit: 10 });

Rotation & revocation

• Keys never expire automatically — rotate on a schedule that matches your secret store's cadence.
• Revoking is instant: one row update in api_keys.revokedAt. Revoked keys start returning 401 revoked_api_key on the next call.
• The dashboard shows lastUsedAt so you can verify an old key is retired before revoking.

Scope

Every key is bound to a single instance (environment) — blast radius is contained to that tenant. An sk_live_ key from app A cannot read users from app B in the same workspace.