API keys authenticate machine access to the runtime. They are scoped, revocable, and shown exactly once — we store a hash, not the key, so if you lose it you create a new one.
Creating a key
Create keys from Settings → API keys, or from the CLI. Always pass an explicit scope; unscoped keys are not a thing here on purpose.
y0 keys create --name "ci-deploy" --scope runtime.read,runs.createScopes
- runtime.read — read run logs and traces.
- runs.create — start runs against contexts the key's workspace can see.
- contexts.manage — connect or modify contexts. Grant this one sparingly.
- admin — workspace settings and member management. Humans only, ideally.
Rotation and revocation
Rotate keys every 90 days — we will nudge you at 80. Revocation is immediate: in-flight requests complete, new requests fail with 401 within a second. There is no propagation delay to wait out.
One honest note: keys inherit the workspace's rate limits, not their own. If a CI job is eating your quota, give it its own workspace.