Skip to main content

Overview

API keys enable programmatic access to the ActumX API. Each key is associated with a user account and can be revoked at any time.

List API Keys

Retrieve all API keys for the authenticated user. 
curl https://api.actumx.app/v1/api-keys \
  -H "Cookie: your_session_cookie"
This endpoint requires session authentication (dashboard login), not API key authentication.

Response

keys
array
List of API key objects
{
  "keys": [
    {
      "id": "key_abc123",
      "name": "Production API Key",
      "keyPrefix": "actumx_live_x",
      "revokedAt": null,
      "lastUsedAt": "2024-03-01T10:00:00Z",
      "createdAt": "2024-02-15T08:30:00Z"
    },
    {
      "id": "key_def456",
      "name": "Development Key",
      "keyPrefix": "actumx_live_y",
      "revokedAt": "2024-03-01T12:00:00Z",
      "lastUsedAt": "2024-02-28T15:45:00Z",
      "createdAt": "2024-02-10T10:00:00Z"
    }
  ]
}

Create API Key

Generate a new API key for programmatic access. 
curl -X POST https://api.actumx.app/v1/api-keys \
  -H "Cookie: your_session_cookie" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production API Key"
  }'
This endpoint requires session authentication (dashboard login).

Request Body

name
string
required
Display name for the API key
  • Minimum length: 2 characters
  • Maximum length: 80 characters

Response

apiKeyId
string
Unique identifier for the created key
apiKey
string
The full API key value
This is only shown once. Store it securely immediately.
keyPrefix
string
First 14 characters for identification
warning
string
Security warning about storing the key
{
  "apiKeyId": "key_abc123",
  "apiKey": "actumx_live_xY9zK3mN7pQ2vB...",
  "keyPrefix": "actumx_live_x",
  "warning": "Store this key now. It is shown only once."
}
Save the apiKey value immediately. It cannot be retrieved again. If lost, you’ll need to create a new key.

Revoke API Key

Revoke an API key to prevent further use. Revoked keys cannot be reactivated. 
curl -X DELETE https://api.actumx.app/v1/api-keys/key_abc123 \
  -H "Cookie: your_session_cookie"
This endpoint requires session authentication (dashboard login).

Path Parameters

id
string
required
The ID of the API key to revoke

Response

success
boolean
Whether the revocation was successful
{
  "success": true
}
Revoking a key sets its revokedAt timestamp. The key becomes immediately unusable for API requests.

Key Format and Security

Key Structure

API keys follow this format: 
actumx_live_[40_character_random_string]
The first 14 characters (actumx_live_x) serve as the prefix for easy identification.

Storage

  • Keys are stored as SHA-256 hashes in the database
  • Only the hash and prefix are retained after creation
  • The full key is only displayed once at creation

Last Usage Tracking

The lastUsedAt field is updated whenever an API key successfully authenticates a request. This helps you identify unused keys.

Error Codes

StatusErrorDescription
401unauthorizedNot logged in or session expired
200success: trueRevocation succeeded (even if key doesn’t exist)
Revoking a non-existent or already-revoked key returns success to prevent information disclosure.