/v1/health) must include:
Key format
Keys aresk_ followed by 64 hex characters. They are hashed server-side —
PlugKit only ever shows the full key once, at creation. Store it in a secret
manager, never in client-side code.
Managing keys
Create a key
POST /v1/api-keys — returns the plaintext key one time.List keys
GET /v1/api-keys — shows prefixes and metadata, never the secret.Revoke a key
DELETE /v1/api-keys/{id} — immediately invalidates it.Rotate
Create a new key, switch your app over, then revoke the old one.
Errors
| Status | Meaning |
|---|---|
401 Unauthorized | Missing, malformed, or revoked key. |
403 Forbidden | Key is valid but not allowed for this resource. |