Skip to main content
The BlindCast Server uses API keys to authenticate management requests. Keys are SHA-256 hashed before storage — the raw key is only shown once at creation time.

Scopes

Only admin and full scopes can create, list, or revoke API keys.

Bootstrap API key

For automated deployments, set the ADMIN_API_KEY environment variable:
This key is accepted as an admin-scope key without being stored in the database. It lets you make the first API call to create a proper stored key.

First-launch setup

If no API keys exist and ADMIN_API_KEY is not set, use the setup endpoint:
Response (201):
The setup endpoint only works once — it returns 409 if any API keys already exist. Store the raw_key immediately; it cannot be retrieved again.
The admin dashboard at /admin guides you through this process with a setup wizard.

Create an API key

Response (201):
Save the raw_key — it is only returned once. The stored keyPrefix shows the first few characters for identification.

List API keys

Response (200):
Raw keys are never returned — only the prefix is shown.

Revoke an API key

Response (200): The revoked key object with a revokedAt timestamp. Revoked keys are rejected on all subsequent requests.

Key format

API keys use the format bk_ followed by 64 hex characters (32 random bytes):
The bk_ prefix makes keys easy to identify in logs and configuration.

Next steps