---
title: "Create and manage API keys"
description: "Mint, use, and revoke API keys in Console → API Keys, understand what a key can access, and read the Usage page's execution stats."
category: guide
surfaces: [console, cli, http-api]
related: [getting-started/invoke-via-api, guides/build-a-client-sdk, guides/manage-secrets, concepts/sandboxing-and-tenancy, reference/http-api, reference/glossary]
last_reviewed: 2026-06-10
---

# Create and manage API keys

API keys authenticate the Axiom CLI and any code that calls your flows over
HTTP. This guide creates a key in the account console, shows the three ways
to use it, explains what a key can and cannot access, covers revocation, and
walks through the Usage page next to it in the Console.

## Prerequisites

- An Axiom account you can sign in to the editor with.
- To follow the invocation example: a saved flow owned by the same account —
  see [Invoke a flow via API](../getting-started/invoke-via-api.md).

## Create an API key

1. In the app, go to **Console → API Keys** (`/console/api-keys`).
2. Click **Create key**.
3. In the **Create API key** dialog, fill in **Name** — pick something that
   identifies where the key will live, such as `ci`, `laptop`, or
   `production-cli`. A name is required.
4. Click **Create key** (or press Enter).

The **Save your API key** dialog then shows the raw key — a 64-character
hex string — **exactly once**. Copy it with the copy button and store it
somewhere safe before clicking **Done**. The platform stores only the key's
SHA-256 hash, so the full key is never shown again and cannot be recovered;
if you lose it, revoke it and create a new one.

After the dialog closes, the key appears in the list with four columns:

- **Name** — the name you gave it.
- **Key** — a masked form only: the first 8 characters, an ellipsis, and the
  last 4 (for example `a1b2c3d4…9f0e`). The full key never appears in the
  list. Keys minted automatically by `axiom login` before masking metadata
  existed show `—` here.
- **Created** — the creation date.
- **Last used** — `Never` until the key authenticates a request; afterwards
  the date of recent use (updated at most once per minute, so it can lag a
  burst of requests slightly).

## What a key can access

Keys have no per-key scopes or permission levels: every key carries the full
access of the account that created it. One key can authenticate the CLI,
invoke any flow the account owns, and call the management API — there is no
way to mint a read-only or single-flow key today. Treat each key like a
password, and create one key per place it lives (one per CI system, one per
machine) so you can revoke them independently.

Access is bounded by your tenant. A key resolves to the tenant that created
it, and the platform enforces that one tenant's flows, secrets, memory, and
results are never visible to another — a key cannot reach another tenant's
data, and invoking a flow requires that the key belongs to the same account
that owns the flow. See
[Sandboxing and tenancy](../concepts/sandboxing-and-tenancy.md).

## Use a key

**From the CLI.** `axiom login` runs a browser OAuth device flow and stores
a freshly minted key (it appears in the key list under the name `cli`) in
`~/.axiom/credentials`. In CI, skip the browser entirely by setting
`AXIOM_API_KEY` before logging in:

```bash
# CI: store the key without a browser flow, then confirm the identity
export AXIOM_API_KEY="<your 64-character key>"
axiom login
axiom whoami   # prints the Email and Tenant the stored key resolves to
```

**Over HTTP.** Send the key as a bearer token in the `Authorization` header.
For example, invoking a compiled flow (get the exact command, including your
`graph_id`, from the **Use via API** dialog — see
[Invoke a flow via API](../getting-started/invoke-via-api.md)):

```bash
# Replace <origin> with your Axiom host and <graph-id> with your compiled flow's id
curl -X POST '<origin>/invocations/v1/flows/invoke' \
  -H "Authorization: Bearer $AXIOM_API_KEY" \
  -H 'Content-Type: application/json' \
  -d '{"graph_id": "<graph-id>", "input": {}, "wait": true}'
```

**From a Client Builder SDK.** SDKs built with the Client Builder read the
key from the `AXIOM_API_KEY` environment variable (no key is ever embedded
in an SDK) — see [Build a client SDK](./build-a-client-sdk.md).

## Revoke a key

1. Go to **Console → API Keys**.
2. In the key's row, click the **Revoke &lt;name&gt;** button (the trash
   icon).
3. Confirm with **Revoke key** in the dialog.

Revocation is immediate and cannot be undone: the key fails authentication
on its very next use, because keys are checked against the database on every
request with no cache. Any client still using the key — including a CLI
logged in with it — stops working at once; if you revoke the key your own
CLI session uses, run `axiom login` again. You can only revoke keys
belonging to your own account.

## Monitor usage

**Console → Usage** (`/console/usage`) shows your account's flow
executions over the last 30 days. It reflects activity only — it is not a
bill.

- **Summary cards:** **Executions** (total runs in the window), **Success
  rate** (percentage of runs that completed successfully), and **Avg
  duration** (mean wall-clock time of completed runs — in-flight runs never
  skew it).
- **Executions per day:** a stacked bar chart, one bar per day. Hovering a
  bar shows the date, the day's total, and the succeeded/failed split.
  Successful and failed runs are colored distinctly; runs still in flight
  (or paused) count toward the total only.

A run counts as failed if it ended in failure, was cancelled, or ended while
compensating. All numbers are scoped to your tenant. For digging into an
individual [execution](../reference/glossary.md#execution) rather than
aggregates, see [Debug a flow](./debug-a-flow.md).
