API Keys

API keys provide programmatic access to Alokai CMS without requiring interactive login. They are scoped to a space and carry granular permissions.

Creating an API key

Go to Settings → API Keys and click New API Key.

Field	Description
Name	A label to identify this key
Description	Optional notes
Permissions	What actions this key can perform

Caution

The full key value is only shown once at creation time. Copy it immediately — it cannot be retrieved later.

Key format

default_sk_a1b2c3d4e5f6...  (64 hex characters after the underscore)

The prefix (default) is stored in plain text for identification. The rest is hashed with SHA-256 before storage.

Permissions

Permission	Allows
content_read	List and get pages, components, and content models
content_update	Create, update, and publish pages and components
content_delete	Delete pages and components
users_read	List users
users_update	Create and update users

Using an API key

Pass the key in the Authorization header or the X-API-Key header:

# Authorization header
curl -H "Authorization: Bearer default_sk_..." \
     https://your-worker.workers.dev/api/pages

# X-API-Key header
curl -H "X-API-Key: default_sk_..." \
     https://your-worker.workers.dev/api/pages

Always include the space and environment context headers:

curl -H "Authorization: Bearer default_sk_..." \
     -H "X-Alokai CMS-Space: default" \
     -H "X-Alokai CMS-Environment: main" \
     https://your-worker.workers.dev/api/pages

Revoking a key

Click Delete on any key in Settings → API Keys. The key is immediately invalidated.