Public beta — not for production use. Data may be wiped at any time. Questions? Contact us.
Documentation menu

Create and manage API keys

Mint, use, and revoke API keys in Console → API Keys, understand what a key can access, and read the Usage page's execution stats.

View as Markdown

API keys authenticate the Axiom CLI and any code that calls your flows over HTTP. This guide creates a key in the account console, shows the three ways to use it, explains what a key can and cannot access, covers revocation, and walks through the Usage page next to it in the Console.

Prerequisites

  • An Axiom account you can sign in to the editor with.
  • To follow the invocation example: a saved flow owned by the same account — see Invoke a flow via API.

Create an API key

  1. In the app, go to Console → API Keys (/console/api-keys).
  2. Click Create key.
  3. In the Create API key dialog, fill in Name — pick something that identifies where the key will live, such as ci, laptop, or production-cli. A name is required.
  4. Click Create key (or press Enter).

The Save your API key dialog then shows the raw key — a 64-character hex string — exactly once. Copy it with the copy button and store it somewhere safe before clicking Done. The platform stores only the key's SHA-256 hash, so the full key is never shown again and cannot be recovered; if you lose it, revoke it and create a new one.

After the dialog closes, the key appears in the list with four columns:

  • Name — the name you gave it.
  • Key — a masked form only: the first 8 characters, an ellipsis, and the last 4 (for example a1b2c3d4…9f0e). The full key never appears in the list. Keys minted automatically by axiom login before masking metadata existed show here.
  • Created — the creation date.
  • Last usedNever until the key authenticates a request; afterwards the date of recent use (updated at most once per minute, so it can lag a burst of requests slightly).

What a key can access

Keys have no per-key scopes or permission levels: every key carries the full access of the account that created it. One key can authenticate the CLI, invoke any flow the account owns, and call the management API — there is no way to mint a read-only or single-flow key today. Treat each key like a password, and create one key per place it lives (one per CI system, one per machine) so you can revoke them independently.

Access is bounded by your tenant. A key resolves to the tenant that created it, and the platform enforces that one tenant's flows, secrets, memory, and results are never visible to another — a key cannot reach another tenant's data, and invoking a flow requires that the key belongs to the same account that owns the flow. See Sandboxing and tenancy.

Use a key

From the CLI. axiom login runs a browser OAuth device flow and stores a freshly minted key (it appears in the key list under the name cli) in ~/.axiom/credentials. In CI, skip the browser entirely by setting AXIOM_API_KEY before logging in:

# CI: store the key without a browser flow, then confirm the identity
export AXIOM_API_KEY="<your 64-character key>"
axiom login
axiom whoami   # prints the Email and Tenant the stored key resolves to

Over HTTP. Send the key as a bearer token in the Authorization header. For example, invoking a compiled flow (get the exact command, including your graph_id, from the Use via API dialog — see Invoke a flow via API):

# Replace <origin> with your Axiom host and <graph-id> with your compiled flow's id
curl -X POST '<origin>/invocations/v1/flows/invoke' \
  -H "Authorization: Bearer $AXIOM_API_KEY" \
  -H 'Content-Type: application/json' \
  -d '{"graph_id": "<graph-id>", "input": {}, "wait": true}'

From a Client Builder SDK. SDKs built with the Client Builder read the key from the AXIOM_API_KEY environment variable (no key is ever embedded in an SDK) — see Build a client SDK.

Revoke a key

  1. Go to Console → API Keys.
  2. In the key's row, click the Revoke <name> button (the trash icon).
  3. Confirm with Revoke key in the dialog.

Revocation is immediate and cannot be undone: the key fails authentication on its very next use, because keys are checked against the database on every request with no cache. Any client still using the key — including a CLI logged in with it — stops working at once; if you revoke the key your own CLI session uses, run axiom login again. You can only revoke keys belonging to your own account.

Monitor usage

Console → Usage (/console/usage) shows your account's flow executions over the last 30 days. It reflects activity only — it is not a bill.

  • Summary cards: Executions (total runs in the window), Success rate (percentage of runs that completed successfully), and Avg duration (mean wall-clock time of completed runs — in-flight runs never skew it).
  • Executions per day: a stacked bar chart, one bar per day. Hovering a bar shows the date, the day's total, and the succeeded/failed split. Successful and failed runs are colored distinctly; runs still in flight (or paused) count toward the total only.

A run counts as failed if it ended in failure, was cancelled, or ended while compensating. All numbers are scoped to your tenant. For digging into an individual execution rather than aggregates, see Debug a flow.