Skip to main content

API Reference

API Keys

Create and manage API keys with granular scopes and request logging.

note
API keys are shown in plaintext once at creation. Each key carries two access controls: service permissions — which AI services it can call (llm, stt, tts, search, image, or * for all) — and scopes — which platform resources it can touch (bots:read, bots:write, conversations:read, conversations:write, knowledge:read, knowledge:write, webhooks:write, whatsapp:read, whatsapp:write, whatsapp:send). A key also supports a domain allowlist, a per-key RPM limit, a budget cap, allowed models, and allowed search providers. Request and prompt logging are opt-in per key.

Create a key

Key management uses your dashboard session (JWT). This example mints an LLM-only key that can read conversations, capped at 200 req/min and a 5,000-credit budget:

bash
curl https://api.callmissed.com/api/v1/keys \
  -H "Authorization: Bearer <jwt_access_token>" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production LLM key",
    "permissions": "llm",
    "scopes": "conversations:read",
    "rate_limit_rpm": 200,
    "budget_limit": 5000
  }'

The plaintext key is returned once — store it now:

json
{
  "id": "k1234567-89ab-cdef-0123-456789abcdef",
  "name": "Production LLM key",
  "key": "cm_live_3f9a...redacted",
  "permissions": "llm",
  "scopes": "conversations:read",
  "allowed_domains": "*",
  "is_active": true,
  "logs_enabled": false,
  "prompt_logging_enabled": false,
  "budget_limit": 5000.0,
  "budget_used": 0.0,
  "budget_remaining": 5000.0,
  "rate_limit_rpm": 200,
  "allowed_models": "*",
  "created_at": "2026-06-06T12:15:00Z"
}

If you lose it later, POST /api/v1/keys/:id/reveal/request emails an OTP, then .../reveal/verify returns the stored plaintext. New keys have logging off by default — flip logs_enabled (and prompt_logging_enabled for message content) only when you need it.

GET/api/v1/keys Auth

List all API keys (plaintext never returned)

POST/api/v1/keys Auth

Create API key — plaintext shown once

Request Body

namestring (required)
permissionscomma-separated services (llm, stt, tts, search, image) or * — default *
scopescomma-separated resource scopes (bots:read, etc.); empty = no resource access
PATCH/api/v1/keys/:id Auth

Update name, scopes, domains, budget, RPM, allowed models, search providers, or expiry

Request Body

namestring
rpm_limitnumber
budgetnumber (credits)
allowed_modelsarray
expires_atISO8601 | null
PATCH/api/v1/keys/:id/permissions Auth

Set service permissions — any of llm, stt, tts, search, image, or * for all

Request Body

permissionscomma-separated service names or *
PATCH/api/v1/keys/:id/domains Auth

Set the domain allowlist for the key

Request Body

domainsarray of hostnames
PATCH/api/v1/keys/:id/logs Auth

Toggle request logging on/off for a key

Request Body

logs_enabledboolean
PATCH/api/v1/keys/:id/prompt-logs Auth

Toggle capturing prompt/completion content (off by default)

Request Body

prompt_logs_enabledboolean
POST/api/v1/keys/:id/reveal/request Auth

Request an OTP to reveal the stored plaintext key

POST/api/v1/keys/:id/reveal/verify Auth

Verify the OTP and return the plaintext key

Request Body

codestring
GET/api/v1/keys/:id/logs Auth

Recent request logs for a key (latency, model, cost, status, errors)

GET/api/v1/keys/:id/rate-state Auth

Live per-key RPM consumption state

DELETE/api/v1/keys/:id Auth

Revoke an API key permanently

Was this page helpful?