API Keys
Programmatic access to the LaserData Cloud API with scoped permissions
API keys provide programmatic access to the LaserData Cloud API for CI/CD pipelines, CLIs, Terraform providers, and other non-interactive integrations. They use the same permission model as interactive sessions.
How It Works
- Create an API key in the Console, selecting a role and optional IP restrictions
- A high-entropy secret is generated and shown once — it cannot be retrieved again
- Include the secret in the
ld-api-keyheader on every request - The platform validates the key, checks rate limits and IP allowlists, and applies the role's permissions
Creating an API Key
From the Console
- Navigate to your tenant's API Keys page
- Click Create API Key
- Enter a name for the key
- Choose one of:
- Existing role — assign any role already defined in your tenant
- Inline permissions — define permissions directly (a dedicated role is created automatically)
- Set an expiration date (maximum 365 days)
- Click Create
- Copy the secret immediately — it will not be shown again
With Inline Permissions
When creating with inline permissions, you define tenant-level and division-level permissions directly:
{
"name": "monitoring-key",
"expiry_at": "2026-06-01T00:00:00Z",
"permissions": {
"tenant": ["info:read", "member:read"],
"division": ["environment:read"]
}
}Security
| Property | Description |
|---|---|
| High entropy | Long random secret — infeasible to brute-force |
| One-way storage | Only the hash is stored — the secret cannot be recovered |
| Required expiry | Maximum 365 days, enforced at creation |
| Rate limiting | Per-key rate limiter prevents abuse |
| IP allowlisting | Optional — restrict the key to specific IP addresses |
| Instant revocation | Deleting the key blocks access immediately |
IP Allowlisting
Restrict an API key to specific IP addresses for additional security. When enabled, requests from IPs not in the allowlist receive a 403 response. You can update IP restrictions on existing keys without recreating them.
Managing API Keys
From the API Keys page you can:
- View all keys with their name, role, expiry, and creation date
- Update security settings (IP allowlisting) on existing keys
- Delete keys — access is revoked immediately
Required permission: api_key:manage (create, delete, update) or api_key:read (list)
All API key operations are recorded in the audit log.
API Reference
Create an API Key with a Role
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/api_keys \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "ci-deploy-key",
"role_id": 67890,
"division_id": 123,
"expiry_at": "2026-06-01T00:00:00Z",
"validate_ip": false
}'Provide either role_id (use an existing role) or permissions (inline permissions — a dedicated role is created automatically), not both. division_id scopes the key to a specific division.
Create an API Key with Inline Permissions
curl -X POST https://api.laserdata.cloud/tenants/{tenant_id}/api_keys \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "monitoring-key",
"expiry_at": "2026-06-01T00:00:00Z",
"validate_ip": true,
"allowed_ips": ["10.0.0.1"],
"permissions": {
"tenant": ["info:read", "member:read"],
"division": ["environment:read"]
}
}'List API Keys
curl https://api.laserdata.cloud/tenants/{tenant_id}/api_keys \
-H "ld-api-key: YOUR_API_KEY"{
"data": [
{
"id": 1,
"name": "ci-deploy-key",
"division_id": 123,
"division_name": "production",
"role_id": 67890,
"role_name": "deployer",
"validate_ip": false,
"allowed_ips": [],
"expiry_at": "2026-06-01T00:00:00Z",
"created_at": "2025-01-15T10:30:00Z"
}
],
"page": 1,
"results": 10,
"total": 1
}Update Security Settings
curl -X PUT https://api.laserdata.cloud/tenants/{tenant_id}/api_keys/{api_key_id}/security \
-H "ld-api-key: YOUR_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"validate_ip": true,
"allowed_ips": ["10.0.0.1", "192.168.1.0"]
}'Delete an API Key
curl -X DELETE https://api.laserdata.cloud/tenants/{tenant_id}/api_keys/{api_key_id} \
-H "ld-api-key: YOUR_API_KEY"