# API Keys (https://eulabel.eu/docs/documentation/get-started/api-keys) > Fetch the complete documentation index at: https://eulabel.eu/docs/llms.txt > Use this file to discover all available pages before exploring further. > Full content: https://eulabel.eu/docs/llms-full.txt > Append .md to any page URL for markdown, or send Accept: text/markdown. API keys provide programmatic access to the EUlabel API. Each key is scoped to an organization and can be restricted to specific permissions. At a glance [#at-a-glance] * Create keys in the dashboard for each integration (CI, PIM sync, backend). * Use minimum scopes, rotate regularly, revoke immediately on suspicion. * Keys are **shown once** — treat them like passwords. Creating an API key [#creating-an-api-key] Create keys through the Dashboard or via the API (requires an active session): ### CURL ```bash curl -X POST https://api.eulabel.eu/v1/auth/api-keys \ -H "Cookie: eulabel_session=..." \ -H "Content-Type: application/json" \ -d '{ "name": "CI Pipeline Key", "scopes": ["products:read", "products:write", "passports:write"] }' ``` ### JavaScript ```javascript const key = await fetch('https://api.eulabel.eu/v1/auth/api-keys', { method: 'POST', headers: { 'Cookie': 'eulabel_session=...', 'Content-Type': 'application/json', }, body: JSON.stringify({ name: 'CI Pipeline Key', scopes: ['products:read', 'products:write', 'passports:write'], }), }).then(r => r.json()); ``` > **Warning** > The API key is returned in the response and **displayed only once**. Store it immediately in a secrets manager or environment variable. You cannot retrieve it again after this point. Listing API keys [#listing-api-keys] ```bash curl https://api.eulabel.eu/v1/auth/api-keys \ -H "Cookie: eulabel_session=..." ``` Returns all active keys for your organization (keys are masked -- only the prefix is visible). Revoking an API key [#revoking-an-api-key] ```bash curl -X DELETE https://api.eulabel.eu/v1/auth/api-keys/KEY_ID \ -H "Cookie: eulabel_session=..." ``` Revocation takes effect within seconds. Revoked keys cannot be restored. Key rotation [#key-rotation] To rotate a key with zero downtime: ### Zero-downtime rotation (recommended) 1. Create a new API key with the same scopes. 2. Deploy the new key to your services. 3. Verify requests succeed. 4. Revoke the old key. ### Incident response (suspected key leak) 1. Revoke the key immediately. 2. Create a replacement key with minimum scopes. 3. Rotate secrets in all environments (staging + production). 4. Audit logs for unexpected calls. The platform supports multiple active keys simultaneously, so there is no gap in access during rotation. Best practices [#best-practices] > **Idea** > Use separate API keys for each integration (e.g., "Production PIM Sync", "CI Pipeline") with the minimum required scopes. This limits the blast radius if a key is compromised. * Use descriptive names for keys (e.g., "Production PIM Sync", "CI Pipeline") * Assign the minimum required scopes * Rotate keys periodically * Monitor key usage in the Dashboard for unusual patterns