> ## Documentation Index
> Fetch the complete documentation index at: https://docs.iblueprint.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage iBlueprint API keys for CLI and API access

> Create, use, and revoke iBlueprint API keys to authenticate CLI commands and direct API calls. Includes security best practices and a curl example.

API keys let you authenticate requests to iBlueprint outside of the browser — whether you are running the CLI, integrating iBlueprint into a script, or making direct API calls from your own application. Each key is scoped to your user account and acts as a Bearer token that the iBlueprint API verifies on every request.

## Creating an API key

<Steps>
  <Step title="Open API Keys settings">
    Click your avatar in the top-right corner, select **Settings**, then choose **API Keys** from the left sidebar.
  </Step>

  <Step title="Create a new key">
    Click **Create API key**, enter a descriptive name (for example, `CI pipeline` or `local dev`), and confirm.
  </Step>

  <Step title="Copy the key">
    Your new API key is displayed once. Copy it and store it somewhere safe — iBlueprint does not show the full key value again after you close the dialog.
  </Step>
</Steps>

<Warning>
  You can only view the full API key value immediately after creating it. If you lose it, you must revoke the key and create a new one.
</Warning>

## Using your API key

### With the iBlueprint CLI

Set the key as an environment variable before running CLI commands:

```bash theme={null}
export IBP_API_KEY=ibp_your_api_key_here
iblueprint list
```

### In HTTP requests

Pass the key as a `Bearer` token in the `Authorization` header:

```bash theme={null}
curl https://api.yourdomain.com/api/trpc/blueprint.list \
  -H "Authorization: Bearer ibp_your_api_key_here" \
  -H "Content-Type: application/json"
```

<CodeGroup>
  ```bash curl theme={null}
  curl https://api.yourdomain.com/api/trpc/blueprint.list \
    -H "Authorization: Bearer ibp_your_api_key_here" \
    -H "Content-Type: application/json"
  ```

  ```javascript fetch theme={null}
  const response = await fetch('https://api.yourdomain.com/api/trpc/blueprint.list', {
    headers: {
      'Authorization': 'Bearer ibp_your_api_key_here',
      'Content-Type': 'application/json',
    },
  });
  const data = await response.json();
  ```
</CodeGroup>

## Rotating a key

If you suspect a key has been compromised, rotate it immediately:

1. Go to **Settings → API Keys**.
2. Find the key you want to rotate and click **Revoke**.
3. Create a new key and update all places where the old key was used.

<Tip>
  Rotate keys periodically even if you have no reason to suspect a compromise. Treat API keys like passwords: short-lived keys limit the window of exposure if one is ever leaked.
</Tip>

## Revoking a key

To permanently revoke a key:

1. Go to **Settings → API Keys**.
2. Click the **...** menu next to the key and select **Revoke**.

Revoked keys stop working immediately. Any CLI command or API request using a revoked key returns a `403 Forbidden` response.

## Security best practices

<AccordionGroup>
  <Accordion title="Never commit keys to source control">
    Store API keys in environment variables or a secrets manager (such as AWS Secrets Manager, HashiCorp Vault, or your CI provider's secret store). Add `.env` files to your `.gitignore` to prevent accidental commits.

    ```bash theme={null}
    # .gitignore
    .env
    .env.local
    .env.*.local
    ```
  </Accordion>

  <Accordion title="Use descriptive key names">
    Name each key after its intended use (for example, `GitHub Actions`, `staging server`, `local dev`). This makes it easy to identify and revoke the right key if you need to rotate credentials for a specific environment.
  </Accordion>

  <Accordion title="Use one key per integration">
    Avoid reusing the same key across multiple applications or environments. Separate keys let you revoke access for a single integration without disrupting others.
  </Accordion>

  <Accordion title="Set rate limits where possible">
    iBlueprint supports per-key rate limiting (requests per hour and per day). Use this to cap how many requests a key can make, reducing the blast radius if a key is misused.
  </Accordion>
</AccordionGroup>
