402 Payment Required with payment options.
API keys (developers)
Pass your key in theAuthorization header:
Key format
| Environment | Prefix | Example |
|---|---|---|
| Production | bsk_live_ | bsk_live_a1B2c3D4... |
| Test | bsk_test_ | bsk_test_x9Y8z7W6... |
Key management
| Operation | Endpoint | Method |
|---|---|---|
| Create key | /api/v1/api-keys | POST |
| List keys | /api/v1/api-keys | GET |
| Get key | /api/v1/api-keys/{id} | GET |
| Rotate key | /api/v1/api-keys/{id}/rotate | POST |
| Revoke key | /api/v1/api-keys/{id} | DELETE |
Key rotation
Rotate a key to get a new secret while preserving the key’s metadata, scopes, and audit trail. The old key is immediately revoked and a new one is returned.Scopes
Keys can be scoped to limit access. A key withnull scopes has full access. Scoped keys use the format domain:action:
403 Forbidden.
Key security
- Keys are hashed with SHA-256 before storage. The raw key is never persisted.
- Keys are shown once at creation. They cannot be retrieved again.
- Revoked keys are immediately unusable.
- Key usage is tracked via
last_used_at. - All key operations are recorded in the audit log.
x402 payments (agents)
AI agents can pay per-request with USDC on Base. No account, no API key required. Pass the x402 payment receipt in thePAYMENT-SIGNATURE header:
Error responses
| Status | Meaning |
|---|---|
401 Unauthorized | Invalid, expired, or revoked API key |
402 Payment Required | No credentials provided — includes payment options in response |
403 Forbidden | Valid key, but missing required scope |