Skip to main content
API keys are long-lived bearer tokens that authenticate requests to Lyceum Cloud. They’re prefixed lk_ and pass in the Authorization header on every request:
curl https://api.lyceum.technology/api/v2/external/billing/credits \
  -H "Authorization: Bearer lk_your_api_key"
Every endpoint in the API Reference accepts the same header.

Keys belong to an organization

Every API key is scoped to a single organization. The key authenticates the request and pins it to that org, there’s no need to send an extra X-Org-Slug header. The credits, runs, VMs, and deployments associated with the request are all billed and accessed through the key’s org. If you belong to several orgs, create a separate key in each one for the scripts that act on its behalf.

API keys vs JWT tokens

The platform supports two token types:
TokenLifetimeWhen to use
API key (lk_...)Long-lived, until revoked or expiredCLI in CI, scripts, integrations, anything non-interactive
JWTShort-lived, refreshableInteractive dashboard sessions, API playground, testing
JWT users can act on any org they’re a member of by sending X-Org-Slug: <slug>; with an API key, the org is fixed by the key itself.

Lifecycle

API keys can be:
  • Created with a name and an optional expiration date. Creation requires the owner or admin role in the org.
  • Regenerated to issue a fresh secret while keeping the key’s name, org, and expiration. The previous secret stops working immediately, so rotate a key without touching the scripts that reference it by name.
  • Revoked at any time, effective immediately. The row is kept for the audit trail.
The full key value is returned exactly once, in the response to the create or regenerate request. After that, only the prefix (first 8 characters) is visible. If you lose a key, regenerate it or revoke it and create a new one. Creating, regenerating, and revoking all require the owner or admin role in the org.
API keys grant the same access as members of the org they’re scoped to. Store them in a password manager or secret store, and never commit them to source control.

Dashboard

Open API Keys in the dashboard. The page lists every key across every org where you’re an owner or admin, with a filter to narrow by org. Create a new key with the New API Key button; the dialog defaults to the active org but you can pick any org you can manage. Each key row has a regenerate button (the circular-arrows icon) to rotate its secret in place, and a revoke button to disable it. As with creation, the new value from a regenerate is shown only once.

CLI

# List keys in the active org
lyceum org keys list

# Create a key in the active org
lyceum org keys create ci-pipeline

# Create a key in a different org without switching active
lyceum org keys create deploy-prod --org production --expires-at 2027-01-01T00:00:00Z

# Revoke
lyceum org keys revoke <key_id>

REST API

MethodEndpointPurpose
GET/orgs/{slug}/api-keysList the org’s keys (metadata only)
POST/orgs/{slug}/api-keysCreate a key, returns the plaintext value once
POST/orgs/{slug}/api-keys/{key_id}/regenerateRegenerate a key, returns the new plaintext value once
DELETE/orgs/{slug}/api-keys/{key_id}Revoke a key
They all require the owner or admin role in the org.
# Create a key
curl -X POST https://api.lyceum.technology/api/v2/external/orgs/acme/api-keys \
  -H "Authorization: Bearer <your-jwt-or-existing-key>" \
  -H "Content-Type: application/json" \
  -d '{"name": "ci-pipeline", "expires_at": "2027-01-01T00:00:00Z"}'
The response contains plaintext_key, store it immediately.