Create and manage API keys
Mint, use, and revoke API keys in Console → API Keys, understand what a key can access, and read the Usage page's execution stats.
View as MarkdownAPI keys authenticate the Axiom CLI and any code that calls your flows over HTTP. This guide creates a key in the account console, shows the three ways to use it, explains what a key can and cannot access, covers revocation, and walks through the Usage page next to it in the Console.
Prerequisites
- An Axiom account you can sign in to the editor with.
- To follow the invocation example: a saved flow owned by the same account — see Invoke a flow via API.
Create an API key
- In the app, go to Console → API Keys (
/console/api-keys). - Click Create key.
- In the Create API key dialog, fill in Name — pick something that
identifies where the key will live, such as
ci,laptop, orproduction-cli. A name is required. - Click Create key (or press Enter).
The Save your API key dialog then shows the raw key — a 64-character hex string — exactly once. Copy it with the copy button and store it somewhere safe before clicking Done. The platform stores only the key's SHA-256 hash, so the full key is never shown again and cannot be recovered; if you lose it, revoke it and create a new one.
After the dialog closes, the key appears in the list with four columns:
- Name — the name you gave it.
- Key — a masked form only: the first 8 characters, an ellipsis, and the
last 4 (for example
a1b2c3d4…9f0e). The full key never appears in the list. Keys minted automatically byaxiom loginbefore masking metadata existed show—here. - Created — the creation date.
- Last used —
Neveruntil the key authenticates a request; afterwards the date of recent use (updated at most once per minute, so it can lag a burst of requests slightly).
What a key can access
Keys have no per-key scopes or permission levels: every key carries the full access of the account that created it. One key can authenticate the CLI, invoke any flow the account owns, and call the management API — there is no way to mint a read-only or single-flow key today. Treat each key like a password, and create one key per place it lives (one per CI system, one per machine) so you can revoke them independently.
Access is bounded by your tenant. A key resolves to the tenant that created it, and the platform enforces that one tenant's flows, secrets, memory, and results are never visible to another — a key cannot reach another tenant's data, and invoking a flow requires that the key belongs to the same account that owns the flow. See Sandboxing and tenancy.
Use a key
From the CLI. axiom login runs a browser OAuth device flow and stores
a freshly minted key (it appears in the key list under the name cli) in
~/.axiom/credentials. In CI, skip the browser entirely by setting
AXIOM_API_KEY before logging in:
# CI: store the key without a browser flow, then confirm the identity
export AXIOM_API_KEY="<your 64-character key>"
axiom login
axiom whoami # prints the Email and Tenant the stored key resolves toOver HTTP. Send the key as a bearer token in the Authorization header.
For example, invoking a compiled flow (get the exact command, including your
graph_id, from the Use via API dialog — see
Invoke a flow via API):
# Replace <origin> with your Axiom host and <graph-id> with your compiled flow's id
curl -X POST '<origin>/invocations/v1/flows/invoke' \
-H "Authorization: Bearer $AXIOM_API_KEY" \
-H 'Content-Type: application/json' \
-d '{"graph_id": "<graph-id>", "input": {}, "wait": true}'From a Client Builder SDK. SDKs built with the Client Builder read the
key from the AXIOM_API_KEY environment variable (no key is ever embedded
in an SDK) — see Build a client SDK.
Revoke a key
- Go to Console → API Keys.
- In the key's row, click the Revoke <name> button (the trash icon).
- Confirm with Revoke key in the dialog.
Revocation is immediate and cannot be undone: the key fails authentication
on its very next use, because keys are checked against the database on every
request with no cache. Any client still using the key — including a CLI
logged in with it — stops working at once; if you revoke the key your own
CLI session uses, run axiom login again. You can only revoke keys
belonging to your own account.
Monitor usage
Console → Usage (/console/usage) shows your account's flow
executions over the last 30 days. It reflects activity only — it is not a
bill.
- Summary cards: Executions (total runs in the window), Success rate (percentage of runs that completed successfully), and Avg duration (mean wall-clock time of completed runs — in-flight runs never skew it).
- Executions per day: a stacked bar chart, one bar per day. Hovering a bar shows the date, the day's total, and the succeeded/failed split. Successful and failed runs are colored distinctly; runs still in flight (or paused) count toward the total only.
A run counts as failed if it ended in failure, was cancelled, or ended while compensating. All numbers are scoped to your tenant. For digging into an individual execution rather than aggregates, see Debug a flow.