Skip to main content
List the organization’s API keys. Key hashes and raw values are never returned. By default the response includes only active (non-revoked) keys. Pass ?include_revoked=true to also receive revoked keys with their audit trail (revoked_at, revoked_by). 
GET /api/v2/org/api-keys

Query parameters

include_revoked
boolean
default:"false"
When true, the response also includes revoked keys.

Response

api_keys
object[]
required
List of key metadata records.

api_keys[]

key_id
string
required
Stable key identifier (key_<16-hex>). Pass this to Revoke API key.
org_id
string
required
The owning organization id.
name
string
required
The label assigned at creation.
revoked
boolean
required
false for active keys. Only true when include_revoked=true is set on the request.
created_at
string
required
When the key was created.
last_used_at
string
Timestamp of the most recent successful authentication with this key. null if the key has never been used.
created_by
string
User id of the dashboard user who created the key. Keys can only be created from a dashboard session, so this is populated for every key created through the API; null appears only on legacy records that predate the field.
revoked_at
string
Present on revoked keys (when include_revoked=true). ISO 8601 UTC timestamp of revocation.
revoked_by
string
Present on revoked keys (when include_revoked=true). User id of whoever revoked the key.

Examples

Active keys only (default)

curl https://api-v2.tumban.com/api/v2/org/api-keys \
  -H "Authorization: Bearer sk_xxx"

{
  "api_keys": [
    {
      "key_id": "key_a1b2c3d4e5f6a7b8",
      "org_id": "org_2abc...",
      "name": "ci-pipeline",
      "revoked": false,
      "created_at": "2026-04-29T12:00:00.123456+00:00",
      "last_used_at": "2026-04-29T12:34:56.654321+00:00",
      "created_by": "user_2def..."
    }
  ]
}

Including revoked keys (audit-trail view)

curl "https://api-v2.tumban.com/api/v2/org/api-keys?include_revoked=true" \
  -H "Authorization: Bearer sk_xxx"

{
  "api_keys": [
    {
      "key_id": "key_a1b2c3d4e5f6a7b8",
      "org_id": "org_2abc...",
      "name": "ci-pipeline",
      "revoked": false,
      "created_at": "2026-04-29T12:00:00.123456+00:00",
      "last_used_at": "2026-04-29T12:34:56.654321+00:00",
      "created_by": "user_2def..."
    },
    {
      "key_id": "key_old1234567890ab",
      "org_id": "org_2abc...",
      "name": "deprecated-laptop",
      "revoked": true,
      "created_at": "2026-02-10T09:14:00.345678+00:00",
      "last_used_at": "2026-04-12T17:50:00.456789+00:00",
      "created_by": "user_2def...",
      "revoked_at": "2026-04-15T08:00:00.567890+00:00",
      "revoked_by": "user_2def..."
    }
  ]
}

Using the dashboard

Open API Keys in the sidebar. The Active Keys tile lists every non-revoked key for the organization, showing the key id, label, and created-at timestamp. The dashboard does not currently surface last_used_at, created_by, or the audit-trail fields — read those from this endpoint directly.