API Keys

API keys authenticate requests to the Pure Frame API. Each key is scoped to a permission level and can be revoked independently without affecting your other keys.

Creating a key

$curl -X POST https://api.pureframe.ai/v1/api_keys \
> -H "Authorization: Bearer <session-token>" \
> -H "Content-Type: application/json" \
> -d '{ "name": "Production server", "permissions": "all" }'
1{
2 "data": {
3 "id": "a1b2c3d4-...",
4 "user_id": "usr_...",
5 "name": "Production server",
6 "prefix": "pf_a1b2c3d4",
7 "permissions": "all",
8 "created_at": "2026-07-01T12:00:00Z",
9 "key": "pf_a1b2c3d4e5f6..."
10 }
11}

The key field — the actual secret you use in the Authorization header — is only ever returned in this creation response. Store it immediately; there is no way to retrieve it again. If you lose it, revoke the key and create a new one.

Permission levels

LevelAccess
allFull read and write — upload, search, manage collections and webhooks
read_onlySearch and list operations only — no uploads, deletes, or webhook management

Use read_only keys for client-side or agent integrations (see MCP) where you don’t need write access.

Listing keys

$curl https://api.pureframe.ai/v1/api_keys \
> -H "Authorization: Bearer <session-token>"

Returns every key on your account, including revoked ones. The plain secret is never included in list responses — only prefix (the first 12 characters) is shown, so you can identify which key is which.

Revoking a key

$curl -X DELETE https://api.pureframe.ai/v1/api_keys/a1b2c3d4-... \
> -H "Authorization: Bearer <session-token>"

Returns 204 No Content. Revocation is immediate and permanent — a revoked key cannot be reactivated; create a new one instead.

Plan limits

PlanMax active keys
Free2
Pro20

Creating a key beyond your plan’s limit returns 402 with code API_KEY_LIMIT_REACHED. See Error Codes.

API key object

FieldTypeDescription
idstringUnique key ID
user_idstringOwning account ID
namestringDisplay name you chose at creation
prefixstringFirst 12 characters of the key, for identification in lists
permissionsstringall or read_only
last_used_atstring | nullISO 8601 timestamp of the most recent authenticated request, or null if never used
created_atstringISO 8601 creation timestamp
revoked_atstring | nullISO 8601 timestamp if revoked, else null

Security notes

  • Keys are stored as a SHA-256 hash — Pure Frame never stores or logs the plain secret after creation.
  • Key creation and revocation both require a web session token, not another API key — this prevents a compromised API key from minting or revoking other keys on the account.