API keys are long-lived bearer tokens that authenticate requests to Lyceum Cloud. They’re prefixed lk_ and pass in the Authorization header on every request:
curl https://api.lyceum.technology/api/v2/external/billing/credits \
-H "Authorization: Bearer lk_your_api_key"
API keys vs JWT tokens
The platform supports two token types:
| Token | Lifetime | When to use |
|---|
API key (lk_...) | Long-lived, until revoked or expired | CLI in CI, scripts, integrations, anything non-interactive |
| JWT | Short-lived, refreshable | Interactive dashboard sessions, API playground, testing |
lyceum auth login exchanges email and password for a JWT). For non-interactive use — CI pipelines, scheduled jobs, deployed services — generate an API key and pass it as the bearer token instead.
JWTs can be refreshed via POST /auth/refresh. API keys can be revoked or temporarily disabled without deleting them.
Lifecycle
API keys can be:
- Created with a name and an optional expiration date
- Revoked (deleted) at any time, effective immediately
- Toggled active/inactive — useful for temporarily disabling a key without losing the audit trail
The full key value is returned exactly once, in the response to the create request. After that, only the prefix (first 8 characters) is visible. If you lose a key, revoke it and create a new one.
API keys grant the same access as your account. Store them in a password manager or secret store, and never commit them to source control.
REST API
| Method | Endpoint | Purpose |
|---|
GET | /auth/api-keys/ | List your keys |
POST | /auth/api-keys/ | Create a new key — returns the full value once |
DELETE | /auth/api-keys/{api_key_id} | Revoke a key |
PATCH | /auth/api-keys/{api_key_id}/toggle | Activate or deactivate |
POST | /auth/api-keys/validate | Check whether a key is valid (without using it) |
Validating a key
The /auth/api-keys/validate endpoint lets you check whether an API key is valid and what user it belongs to without making a real authenticated request. Useful for build-time sanity checks in CI:
curl -X POST https://api.lyceum.technology/api/v2/external/auth/api-keys/validate \
-H "Content-Type: application/json" \
-d '{"api_key": "lk_..."}'
