API Keys
API keys authenticate requests to the Pure Frame API. Each key is scoped to a permission level and can be revoked independently without affecting your other keys.
Creating a key
The key field — the actual secret you use in the Authorization header — is only ever returned in this creation response. Store it immediately; there is no way to retrieve it again. If you lose it, revoke the key and create a new one.
Permission levels
Use read_only keys for client-side or agent integrations (see MCP) where you don’t need write access.
Listing keys
Returns every key on your account, including revoked ones. The plain secret is never included in list responses — only prefix (the first 12 characters) is shown, so you can identify which key is which.
Revoking a key
Returns 204 No Content. Revocation is immediate and permanent — a revoked key cannot be reactivated; create a new one instead.
Plan limits
Creating a key beyond your plan’s limit returns 402 with code API_KEY_LIMIT_REACHED. See Error Codes.
API key object
Security notes
- Keys are stored as a SHA-256 hash — Pure Frame never stores or logs the plain secret after creation.
- Key creation and revocation both require a web session token, not another API key — this prevents a compromised API key from minting or revoking other keys on the account.