API Keys
Long-lived tokens for scripts, automation, and headless API access. API keys are tied to your user account, not to a specific location. A single key works across all locations you belong to.
Creating a Key
- Go to Settings → API Keys.
- Click Create Key.
- Enter a descriptive name (e.g. "Home automation script", "Backup script").
- Click Create.
- Copy the key immediately — it is shown only once and cannot be retrieved again.
Key Format
All API keys follow this format:
sk_openbin_<random>Using a Key
Include the key in the Authorization header on any API request:
http
GET /api/bins HTTP/1.1
Host: your-openbin-instance.example.com
Authorization: Bearer sk_openbin_abc123...API keys work with all endpoints that support JWT authentication. The server identifies the request as coming from an API key (not a browser session) and records auth_method: api_key in the activity log.
Example with curl
bash
curl -H "Authorization: Bearer sk_openbin_abc123..." \
https://your-openbin-instance.example.com/api/binsExample with fetch
js
const res = await fetch('/api/bins', {
headers: {
'Authorization': 'Bearer sk_openbin_abc123...'
}
});
const data = await res.json();Revoking a Key
- Go to Settings → API Keys.
- Find the key you want to disable.
- Click Revoke.
Revoked keys stop working immediately. Revocation cannot be undone — if you need access again, create a new key.
Key vs. JWT Token
| JWT Token | API Key | |
|---|---|---|
| Lifetime | Short-lived (access token) + refresh cycle | Until revoked |
| Use case | Browser sessions | Scripts, automation, integrations |
| Format | eyJ... (JWT) | sk_openbin_... |
| Created by | Login flow | Settings → API Keys |
| Stored in | HttpOnly cookie | Your environment / secret manager |
Security Best Practices
- Store API keys in environment variables or a secret manager — never in source code.
- Never commit API keys to version control.
- Use a separate key per application or script so you can revoke one without affecting others.
- Revoke compromised keys immediately.
- API keys are long-lived by design — rotate them periodically for sensitive automations.