Skip to main content
POST https://api.craftkit.dev/v1/projects/{id}/keys
Mint a new project API key (ck_live_…) for a project owned by the authenticated account. This is the programmatic bridge from your one account key into the existing per-project API — the minted key authenticates every endpoint documented under Templates, Renders, and Signatures for that project, exactly like a key minted from the dashboard’s Project → API keys page.
This endpoint mints only ck_live_… project keys — never an account key (ck_acct_…). The account key itself is issued only from the dashboard (Account → API keys); there is no endpoint that mints one. See Account-key auth.

Authorization

Authorization
string
required
Bearer ck_acct_… — must own the target project.

Path

id
string
required
The project id (UUID) to mint a key for.

Body

The body itself is optional — an empty/omitted body mints a key named API key.
name
string
A label for the key (1–200 chars), e.g. Render service (prod). Shown in the dashboard so you can tell keys apart when revoking. Defaults to "API key" when omitted.

Response

201:
id
string
UUID of the new key row.
projectId
string
Echoes the path id — the project this key is scoped to.
name
string
Echoed back (or the "API key" default).
prefix
string
Public-facing prefix (e.g. ck_live_aBcDe) — safe to display in a UI after creation.
key
string
The plaintext project key. Shown exactly once — only its SHA-256 hash is stored, so store it immediately (secret manager or env var). If you lose it, mint a new one and revoke this one.
createdAt
string

Errors

StatuscodeMeaning
400invalid_jsonBody is not valid JSON.
400invalid_requestname present but empty or over 200 chars.
401unauthorizedMissing, invalid, or wrong-type (ck_live_…) bearer token.
404not_foundNo such project owned by this account — a key is never minted for a project you don’t own.
cURL
curl -X POST https://api.craftkit.dev/v1/projects/3f9b6c2e-1a2b-4c3d-9e8f-7a6b5c4d3e2f/keys \
  -H "Authorization: Bearer $CRAFTKIT_ACCOUNT_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "name": "Render service (prod)" }'
201
{
  "id": "9c8b7a6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d",
  "projectId": "3f9b6c2e-1a2b-4c3d-9e8f-7a6b5c4d3e2f",
  "name": "Render service (prod)",
  "prefix": "ck_live_aBcDe",
  "key": "ck_live_aBcDeFgHiJkLmNoPqRsTuVwXyZ012345",
  "createdAt": "2026-07-02T00:00:00.000Z"
}
For a per-customer multi-tenant integration: create one project per customer (POST /v1/projects), mint one project key here, cache it against that customer, and use the cached ck_live_… key for every render/sign call for them from then on. See Account-key auth for the full pattern.