API Keys
Create, list, and delete API keys via the Rapidfolio Dashboard API.
Overview
API keys authenticate requests to the Rapidfolio Runner API and Dashboard API. Keys are scoped to an environment — a sandbox key can only access sandbox runs and resources, and a live key can only access live runs and resources.
All key management endpoints are on the Dashboard API:
Base URL: https://app.rapid.io/api/v1List Keys
GET https://app.rapid.io/api/v1/api-keys
Authorization: Bearer <api_key>Returns all API keys in your workspace. The raw key value is never returned in list responses — only metadata.
Response
{
"data": [
{
"id": "key_abc123",
"name": "Production server",
"environment": "live",
"prefix": "rsk_live_",
"createdAt": "2026-01-15T09:00:00.000Z"
},
{
"id": "key_def456",
"name": "CI integration tests",
"environment": "sandbox",
"prefix": "rsk_sandbox_",
"createdAt": "2026-02-01T14:30:00.000Z"
}
]
}Create a Key
POST https://app.rapid.io/api/v1/api-keys
Authorization: Bearer <api_key>
Content-Type: application/json{
"name": "My server",
"environment": "sandbox"
}Request Fields
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | A human-readable label for the key (e.g. "Production server", "CI pipeline") |
environment | string | Yes | "sandbox" or "live" — determines which environment the key grants access to |
Response
{
"id": "key_abc123",
"name": "My server",
"environment": "sandbox",
"prefix": "rsk_sandbox_",
"key": "rsk_sandbox_xxxxxxxxxxxxxxxxxxxx",
"createdAt": "2026-02-27T10:00:00.000Z"
}The
keyfield is only returned once, at creation. Store it immediately in a secrets manager or environment variable. Rapidfolio does not store the raw key — if you lose it, you must delete the key and create a new one.
Delete a Key
DELETE https://app.rapid.io/api/v1/api-keys/:id
Authorization: Bearer <api_key>Permanently deletes the key. Any requests using the deleted key will immediately start receiving 401 Unauthorized responses.
Response — 200
{ "success": true }Response — 404
{ "error": "API key not found" }Key Properties
| Property | Description |
|---|---|
id | Unique identifier for the key record — use this for deletion |
name | Human-readable label you assigned at creation |
environment | sandbox or live — immutable after creation |
prefix | The key's prefix string (e.g. rsk_sandbox_) — useful for identifying keys in logs without exposing the full value |
createdAt | ISO 8601 timestamp of when the key was created |
Sandbox vs Live Keys
Sandbox and live keys behave identically at the API level but route to entirely separate execution environments. Connections, runs, and data are never shared between environments.
| Key prefix | Environment | Use for |
|---|---|---|
rsk_sandbox_ | Sandbox | Development, integration tests, CI pipelines |
rsk_live_ | Live | Production traffic with real connections and outputs |
Best Practices
- One key per service — create a separate key for each application or deployment that calls the Rapidfolio API. This lets you rotate or revoke a single service's access without affecting others.
- Least privilege by name — use descriptive names (
"payments-service-prod","ci-tests") so you can identify the key's owner at a glance in the dashboard. - Rotate on suspicion — if a key may have been exposed (leaked in logs, committed to git, etc.), delete it immediately and create a replacement. The old key stops working the moment it is deleted.
- Never commit keys to source control — store keys in environment variables or a secrets manager (e.g. AWS Secrets Manager, HashiCorp Vault, Doppler).