List API keys

curl --request GET \
  --url https://staging.zerolatencylabs.com/api/v1/api-keys \
  --header 'X-PUBLIC-KEY: <api-key>' \
  --header 'X-REQUEST-ID: <api-key>' \
  --header 'X-SIGNATURE: <api-key>'

[
  {
    "created_at": "2026-06-23T16:00:00.000Z",
    "id": "0190b6c2-7e4a-7c3b-9f21-2b6a1c4e5d8f",
    "key_name": "trading-bot",
    "key_prefix": "k8Jq3xQp",
    "last_used_at": "2026-06-23T16:00:00.000Z",
    "subaccount_index": 1
  }
]

API Keys

List API keys

Lists the API keys registered on an account (prefixes only, no raw keys).

Endpoint

GET /api/v1/api-keys

Authentication

Signing material is carried in the X-PUBLIC-KEY, X-SIGNATURE, and X-REQUEST-ID headers. Signed message: request_id (16) || account_id (8 LE). request_id’s embedded timestamp must fall inside the OG’s skew window [now-15s, now+5s].

Visibility

Derived from the session’s reach (mirrors verify_subaccount_scope):

Pinned keys are returned iff the session can act on their subaccount_index.
Admin-scope keys (subaccount_index = None) are returned iff the caller holds an unpinned session under an admin master key — i.e. their reach also covers the whole account.

A caller with no reachable keys gets 200 OK with an empty list.

Returns

200 OK with a JSON array of ApiKeyResponse (id, prefix, name, subaccount, timestamps).
400 Bad Request if a signing header is malformed or the request_id’s embedded timestamp falls outside the skew window.
401 Unauthorized if a signing header is missing or signature/session verification fails.
500 Internal Server Error if an internal error occurs.

GET

api

api-keys

List API keys

curl --request GET \
  --url https://staging.zerolatencylabs.com/api/v1/api-keys \
  --header 'X-PUBLIC-KEY: <api-key>' \
  --header 'X-REQUEST-ID: <api-key>' \
  --header 'X-SIGNATURE: <api-key>'

[
  {
    "created_at": "2026-06-23T16:00:00.000Z",
    "id": "0190b6c2-7e4a-7c3b-9f21-2b6a1c4e5d8f",
    "key_name": "trading-bot",
    "key_prefix": "k8Jq3xQp",
    "last_used_at": "2026-06-23T16:00:00.000Z",
    "subaccount_index": 1
  }
]

Authorizations

X-PUBLIC-KEY

string

header

required

Base64 ed25519 session public key. Part of the SessionSig triple; not an API key.

X-REQUEST-ID

string

header

required

UUIDv7 replay nonce; its embedded timestamp must fall inside the skew window [now-15s, now+5s]. Part of the SessionSig triple.

X-SIGNATURE

string

header

required

Base64 ed25519 signature over the canonical request message. Part of the SessionSig triple.

Query Parameters

account_id

integer<int64>

required

Required range: x >= 0

Response

Reachable API keys (prefixes only)

created_at

string<date-time>

required

When the key was created.

Example:

"2026-06-23T16:00:00.000Z"

string<uuid>

required

Stable unique identifier of the API key record.

Example:

"0190b6c2-7e4a-7c3b-9f21-2b6a1c4e5d8f"

key_name

string

required

User-supplied label for the key.

Example:

"trading-bot"

key_prefix

string

required

First 8 characters of the key, for display and disambiguation.

Example:

"k8Jq3xQp"

last_used_at

string<date-time> | null

When the key was last used to authenticate; null if never used.

Example:

"2026-06-23T16:00:00.000Z"

subaccount_index

null | integer<int32>

Subaccount the key is pinned to; null for an account-wide (admin-scope) key.

Required range: x >= 0

Rename a portfolio Create API key

⌘I