Admin

API keys

API keys let scripts, CI jobs, and external apps call Dezifi on behalf of a workspace. Each key has a name, a scope, and an audit trail.

What you'll learn

Generate a key

1
Open API keys
Settings → API keys. Click + New key.
2
Name and scope
Pick a descriptive name (e.g., "CI: nightly evals"). Choose one or more scopes: read for listing and inspection, write for create/update, execute for triggering agents and workflows.
3
Copy the key now
The full key is shown exactly once. Copy it to your secrets manager immediately. After this screen Dezifi only stores the last four characters for identification.

1
Revoke a key
Open the key row menu and click Revoke. Any in-flight request authenticated with this key fails on the next call. Revocation is immediate.
2
View usage
Each key row shows total calls, last-used timestamp, and the originating IP for the most recent request. Click the row to drill into per-day usage.
3
Rotate a key
Generate a replacement first, deploy it, then revoke the old one. Dezifi never auto-rotates — rotation is a deliberate operator action.

What does each scope grant?: Read grants list and get operations on agents, workflows, and runs. Write grants create, update, and delete on those resources. Execute grants the ability to start runs. Combine scopes as needed.
Can I see the full key value after creation?: No. The full key is displayed only once at creation. After that, only the last four characters are visible. If lost, generate a replacement and revoke the old one.
Are API keys scoped to a workspace?: Yes. A key authenticates only to the workspace it was created in. Use service accounts if you need a shared machine identity with its own key set.
What happens to running jobs if I revoke a key?: In-flight HTTP calls already in progress complete. Any subsequent request — including retries — is rejected with 401. Revocation propagates within seconds.