API keys#

Create and manage API keys for server-side integrations.

Authentication required

All endpoints require a Bearer token in the Authorization header. See the Authentication guide for setup instructions.

POST /v1/personal-access-tokens#

Create a new API key that can expire. The secret is only returned once.

bash

POST /v1/personal-access-tokens
Authorization: Bearer {token}
Content-Type: application/json

{
  "name": "My Campaign"
}

Name	Type	Required	Description
name	`string`	Required	Display name for this token.
expiresAt	`string (ISO 8601) \| null`	—	When this token should expire.

Returns { data } with the result.

Underlying SDK method: bw.personalAccessTokens.create(params)

Store the key securely

The API key secret is only returned in the creation response. It cannot be retrieved again. Store it securely.

List API keys for the authenticated user.

bash

GET /v1/personal-access-tokens
Authorization: Bearer {token}

Returns { items, totalCount, facets } with paginated results.

Underlying SDK method: bw.personalAccessTokens.list()

Revoke an API key, immediately invalidating it.

bash

DELETE /v1/personal-access-tokens/:id
Authorization: Bearer {token}

Name	Type	Required	Description
id	`string (UUID)`	Required	Token identifier to revoke.

Returns { data } with the result.

Underlying SDK method: bw.personalAccessTokens.revoke(params)

Immediate invalidation

Revoking an API key immediately invalidates it. Any integrations using this key will stop working. This action cannot be undone.

Rotate an API key by revoking the old key and creating a new one.

bash

POST /v1/personal-access-tokens/:id/rotate
Authorization: Bearer {token}

Name	Type	Required	Description
id	`string (UUID)`	Required	Token identifier to rotate (revokes old, creates new).

Returns { data } with the result.

Underlying SDK method: bw.personalAccessTokens.rotate(params)