> ## Documentation Index > Fetch the complete documentation index at: https://docs.orq.ai/llms.txt > Use this file to discover all available pages before exploring further. # List API keys > Returns API keys visible to the current workspace, ordered by creation time with the newest key first. The `api_key` and `token_hash` fields are never returned by this endpoint; only `token_prefix` is included. ## OpenAPI ````yaml get /v2/api-keys openapi: 3.1.0 info: title: orq.ai API version: '2.0' description: orq.ai API documentation servers: - url: https://api.orq.ai security: - ApiKey: [] tags: - description: List models available through the AI Router. name: Models - name: Guardrail Rules - name: Policies - name: Routing Rules - name: API keys description: >- API keys authenticate programmatic access to the workspace. The unified key model exposes opaque tokens, per-domain access grants, and budget / rate-limit constraints (see ADR 0001 and ADR 0002). - name: Budgets description: >- Budgets govern spend, token usage, and request rate across six scopes: workspace, project, identity, api-key, provider, and model. A budget is hierarchical and defense-in-depth — every applicable budget is a hard gate, and the most restrictive one wins per dimension (see ADR 0007). - name: Documentation description: >- Search the orq.ai documentation. Proxies the workspace's query to the hosted docs search index. - name: Files description: File upload and retrieval operations. - name: Identities description: >- Identities represent end users from your system for usage and engagement tracking. - name: Projects description: Projects organize resources within a workspace - name: Skills description: >- Skills are modular instructions you can use to codify processes and conventions - name: Responses - description: >- Run agents on a cadence — cron, interval, or one-off. Minimum firing interval is 1 hour. name: Agent Schedules - name: Embeddings - name: Reporting description: >- GenAI reporting API over canonical analytics rollups. Accepts a metric name, time range, grain, group-by, and filters; returns a typed time series and optional totals. externalDocs: url: https://docs.orq.ai description: orq.ai Documentation paths: /v2/api-keys: get: tags: - API keys summary: List API keys description: >- Returns API keys visible to the current workspace, ordered by creation time with the newest key first. The `api_key` and `token_hash` fields are never returned by this endpoint; only `token_prefix` is included. operationId: ApiKeyList parameters: - name: limit in: query description: Page size, 1–200. Unset uses the server default (25). schema: type: integer format: int32 - name: starting_after in: query description: |- Cursor for forward pagination. Set to the `api_key_id` of the last item from the previous page. schema: type: string - name: ending_before in: query description: |- Cursor for backward pagination. Set to the `api_key_id` of the first item from the previous page. schema: type: string - name: project_id in: query description: |- Optional filter: only return keys belonging to this project. When omitted, returns workspace-scoped and any single-project keys. schema: type: string - name: status in: query description: 'Optional filter: only return keys with this status.' schema: $ref: '#/components/schemas/ApiKeyStatus' - name: search in: query description: |- Optional case-insensitive substring match against the api-key name. Empty means no name filter. schema: type: string - name: owner_type in: query description: |- Optional filter: only return keys whose `owner.kind` matches one of the requested types. Combines the user / service-account oneof cases into a single repeated enum so the wire stays flat and multi-select filters travel as a single field. Empty means no owner-type filter. schema: type: array items: $ref: '#/components/schemas/OwnerType' - name: permission_mode in: query description: |- Optional filter: only return keys whose permission mode is one of the listed presets. Empty means no permission-mode filter. schema: type: array items: $ref: '#/components/schemas/PermissionMode' responses: '200': description: OK content: application/json: schema: $ref: '#/components/schemas/ListApiKeysResponse' x-code-samples: - lang: curl label: Core - List active project keys source: | curl --get 'https://api.orq.ai/v2/api-keys' \ --header 'Authorization: Bearer $ORQ_API_KEY' \ --data-urlencode 'limit=25' \ --data-urlencode 'project_id=proj_01HZXW2K7Y8Q9M0N1P2R3S4T5V' \ --data-urlencode 'status=API_KEY_STATUS_ACTIVE' - lang: python label: Python - List active project keys source: | import os from orq_ai_sdk import Orq client = Orq(api_key=os.environ["ORQ_API_KEY"]) page = client.api_keys.list( limit=25, project_id="proj_01HZXW2K7Y8Q9M0N1P2R3S4T5V", status="API_KEY_STATUS_ACTIVE", ) for api_key in page.data: print(api_key.name, api_key.token_prefix) - lang: typescript label: Node.js - List active project keys source: | import { Orq } from '@orq-ai/node'; const client = new Orq({ apiKey: process.env.ORQ_API_KEY, }); const page = await client.apiKeys.list({ limit: 25, projectId: 'proj_01HZXW2K7Y8Q9M0N1P2R3S4T5V', status: 'API_KEY_STATUS_ACTIVE', }); for (const apiKey of page.data) { console.log(apiKey.name, apiKey.tokenPrefix); } components: schemas: ApiKeyStatus: type: string enum: - API_KEY_STATUS_UNSPECIFIED - API_KEY_STATUS_ACTIVE - API_KEY_STATUS_DISABLED - API_KEY_STATUS_REVOKED OwnerType: type: string enum: - OWNER_TYPE_UNSPECIFIED - OWNER_TYPE_USER - OWNER_TYPE_SERVICE_ACCOUNT PermissionMode: type: string enum: - PERMISSION_MODE_UNSPECIFIED - PERMISSION_MODE_ALL - PERMISSION_MODE_RESTRICTED - PERMISSION_MODE_READ_ONLY ListApiKeysResponse: required: - object - data - has_more type: object properties: object: type: string description: Object discriminator for list responses; always `list`. data: type: array items: $ref: '#/components/schemas/ApiKey' description: |- Page of api-keys, ordered newest first. `token_hash` and `api_key` are always elided in list responses. has_more: type: boolean description: |- Whether more api-keys are available in the selected pagination direction. ApiKey: required: - api_key_id - name - owner - project_scope - permission_mode - token_prefix - status - created_at - updated_at type: object properties: api_key_id: type: string description: |- Canonical key identifier (ULID). Embedded in opaque tokens as `sk-orq--`. name: type: string description: Human-readable name shown in the dashboard. owner: allOf: - $ref: '#/components/schemas/ApiKeyOwner' description: Owner attribution (drives lifecycle). project_scope: allOf: - $ref: '#/components/schemas/ProjectScope' description: Project authorization scope. permission_mode: $ref: '#/components/schemas/PermissionMode' description: |- Permission preset. `all` and `read_only` resolve at auth time from the capability catalog. `restricted` reads the per-domain `access` map. access: type: object additionalProperties: type: integer format: enum description: |- Per-domain access map. Only populated when `permission_mode` is `PERMISSION_MODE_RESTRICTED`. The authoritative list of valid keys and the per-domain read / write semantics are exposed at runtime via the capability catalog endpoint. Valid keys are the Domain.id values in the capability catalog — see libs/catalog/orq/apikeys/v1/catalog.textpb for the canonical list. The ids are intentionally not duplicated here to avoid drift. Values are AccessLevel enum names on the JSON wire: "ACCESS_LEVEL_NONE" — capability not granted "ACCESS_LEVEL_READ" — list / view verbs "ACCESS_LEVEL_WRITE" — list / view + mutating / execute verbs token_prefix: type: string description: |- Displayable prefix for UI listings (e.g. "sk-orq-01HXY..."). Safe to expose. status: $ref: '#/components/schemas/ApiKeyStatus' description: Lifecycle status. created_by_id: type: string description: |- Audit: user who created the key. Optional. Distinct from `owner.user_id` — created_by is provenance only, while owner determines lifecycle binding. updated_by_id: type: string description: 'Audit: user who last updated the key.' created_at: type: string description: Time the key was created. format: date-time updated_at: type: string description: Time the key was last updated. format: date-time last_used_at: type: string description: Last authenticated use. Updated via NATS debounce + 1% sampler. format: date-time expires_at: type: string description: |- Optional expiration. The authenticate hot-path rejects keys whose `expires_at` is in the past. Unset means the key never expires. format: date-time legacy_token_family: $ref: '#/components/schemas/LegacyTokenFamily' description: Token family marker used by the legacy adapter to route validation. legacy_key_id: type: string description: |- Legacy MongoDB `_id` from before the canonical ULID was assigned. Used by the adapter to resolve a JWT back to this canonical record. description: |- ApiKey is the canonical record stored in MongoDB `auth.apiKeys`. It is the source of truth for scope, permissions, owner, budget, expiration, and revocation (see ADR 0001). ApiKeyOwner: type: object properties: user: $ref: '#/components/schemas/UserOwner' service_account: $ref: '#/components/schemas/ServiceAccountOwner' description: |- Owner attribution drives lifecycle. `service_account` keys are workspace-owned and outlive any individual user. `user` keys are bound to `user_id`: when the user is removed, disabled, or loses project access, the key is revoked / its scope shrinks per the cascade rules in ADR 0001. ProjectScope: type: object properties: all: $ref: '#/components/schemas/AllProjects' single: $ref: '#/components/schemas/SingleProject' description: |- Project authorization scope. Single-project or all-projects. Multi-project use cases are served by minting per-project keys or by using an all-projects key with `restricted` mode. LegacyTokenFamily: type: string enum: - LEGACY_TOKEN_FAMILY_UNSPECIFIED - LEGACY_TOKEN_FAMILY_ROUTER_JWT - LEGACY_TOKEN_FAMILY_PROJECT_JWT - LEGACY_TOKEN_FAMILY_WORKSPACE_JWT UserOwner: required: - user_id type: object properties: user_id: type: string description: User ID that owns the API key. ServiceAccountOwner: type: object properties: {} AllProjects: type: object properties: {} SingleProject: required: - project_id type: object properties: project_id: type: string description: Project ID this API key is scoped to. securitySchemes: ApiKey: type: http scheme: bearer bearerFormat: JWT ````