Skip to main content
PlugKit uses API keys sent as a Bearer token. Every request (except /v1/health) must include:
Authorization: Bearer sk_your_key

Key format

Keys are sk_ followed by 64 hex characters. They are hashed server-side — PlugKit only ever shows the full key once, at creation. Store it in a secret manager, never in client-side code.

Managing keys

Create a key

POST /v1/api-keys — returns the plaintext key one time.

List keys

GET /v1/api-keys — shows prefixes and metadata, never the secret.

Revoke a key

DELETE /v1/api-keys/{id} — immediately invalidates it.

Rotate

Create a new key, switch your app over, then revoke the old one.
A leaked key can act on every connected account in your profile. Revoke and rotate immediately if one is exposed.

Errors

StatusMeaning
401 UnauthorizedMissing, malformed, or revoked key.
403 ForbiddenKey is valid but not allowed for this resource.