Skip to main content
POST
https://nmixhdvexhgizmxlnhqi.supabase.co
/
functions
/
v1
/
generate-api-key
curl -X POST https://nmixhdvexhgizmxlnhqi.supabase.co/functions/v1/generate-api-key \
  -H "Authorization: Bearer chrt_sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production Frontend Key",
    "type": "pk",
    "environment": "live",
    "team_id": "team_abc123",
    "scopes": ["enc.tiles:read", "interact.identify:read"],
    "domains": ["https://myapp.com", "https://*.myapp.com"],
    "description": "Public key for production web application"
  }'

{
  "data": {
    "id": "key_abc123def456",
    "name": "Production Frontend Key",
    "key": "chrt_pk_live_myteam_ABC123DEF456GHI789...",
    "key_prefix": "chrt_pk_live_myteam_",
    "type": "pk",
    "environment": "live",
    "team_id": "team_abc123",
    "scopes": ["enc.tiles:read", "interact.identify:read"],
    "domains": ["https://myapp.com", "https://*.myapp.com"],
    "ip_whitelist": [],
    "rate_limit": 10000,
    "is_active": true,
    "expires_at": null,
    "created_by": "user_xyz789",
    "created_at": "2024-01-15T10:30:00Z",
    "last_used_at": null,
    "description": "Public key for production web application"
  },
  "meta": {
    "timestamp": "2024-01-15T10:30:00Z",
    "request_id": "req_abc123"
  }
}
Creates a new API key that can be used to authenticate API requests. The key will be returned in the response and cannot be retrieved again after creation.
Secret keys are only shown once. Make sure to copy and store the key securely before closing this response.

Request Body

name
string
required
A descriptive name for the API key to help identify its purpose
type
string
required
The type of API key to create
environment
string
required
The environment for this API key
team_id
string
required
The UUID of the team this API key belongs to
scopes
array
Array of permission scopes for this key. Defaults to ["enc.tiles:read"]
domains
array
Allowed domains for public keys (CORS + referer check)
ip_whitelist
array
Array of allowed IP addresses or CIDR blocks
rate_limit
integer
Custom rate limit for this key (requests per hour). Defaults to plan limit.
expires_at
string
ISO 8601 timestamp when the key should expire (optional)
description
string
Additional description or notes about this API key

Response

id
string
Unique identifier for the API key
name
string
The name of the API key
key
string
The full API key (only returned once on creation)
key_prefix
string
The first 20 characters of the key for identification
type
string
The type of key (pk or sk)
environment
string
The environment (test or live)
team_id
string
UUID of the team that owns this key
scopes
array
Array of granted permission scopes
domains
array
Allowed domains (for public keys)
ip_whitelist
array
Allowed IP addresses or CIDR blocks
rate_limit
integer
Rate limit for this key (requests per hour)
is_active
boolean
Whether the key is currently active
expires_at
string
ISO 8601 timestamp when the key expires (if set)
created_by
string
UUID of the user who created this key
created_at
string
ISO 8601 timestamp when the key was created
last_used_at
string
ISO 8601 timestamp when the key was last used (null if never used)
curl -X POST https://nmixhdvexhgizmxlnhqi.supabase.co/functions/v1/generate-api-key \
  -H "Authorization: Bearer chrt_sk_live_..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production Frontend Key",
    "type": "pk",
    "environment": "live",
    "team_id": "team_abc123",
    "scopes": ["enc.tiles:read", "interact.identify:read"],
    "domains": ["https://myapp.com", "https://*.myapp.com"],
    "description": "Public key for production web application"
  }'

{
  "data": {
    "id": "key_abc123def456",
    "name": "Production Frontend Key",
    "key": "chrt_pk_live_myteam_ABC123DEF456GHI789...",
    "key_prefix": "chrt_pk_live_myteam_",
    "type": "pk",
    "environment": "live",
    "team_id": "team_abc123",
    "scopes": ["enc.tiles:read", "interact.identify:read"],
    "domains": ["https://myapp.com", "https://*.myapp.com"],
    "ip_whitelist": [],
    "rate_limit": 10000,
    "is_active": true,
    "expires_at": null,
    "created_by": "user_xyz789",
    "created_at": "2024-01-15T10:30:00Z",
    "last_used_at": null,
    "description": "Public key for production web application"
  },
  "meta": {
    "timestamp": "2024-01-15T10:30:00Z",
    "request_id": "req_abc123"
  }
}

Security Considerations

Always set domain restrictions for public keys to prevent unauthorized use:
  • Use specific domains rather than wildcards when possible
  • Include all subdomains you need with *.domain.com patterns
  • Consider IP restrictions for additional security
Follow the principle of least privilege:
  • Grant only the minimum scopes required for your use case
  • Use separate keys for different parts of your application
  • Regularly audit and remove unused scopes
  • Store secret keys in environment variables or secure vaults
  • Never commit keys to version control
  • Use different keys for development, staging, and production
  • Set up key rotation schedules

Common Use Cases

Frontend Public Key

{
  "name": "React App",
  "type": "pk",
  "environment": "live",
  "scopes": ["enc.tiles:read", "interact.identify:read"],
  "domains": ["https://myapp.com"]
}

Backend Secret Key

{
  "name": "API Server",
  "type": "sk", 
  "environment": "live",
  "scopes": ["enc.*:read", "keys.manage"],
  "ip_whitelist": ["10.0.0.0/8"]
}