Manage API keys in the panel
API keys let your scripts and CMS plugins authenticate to the Paradarum API without a username and password. This page covers creating, listing, and revoking keys from the dashboard, and the endpoints that back those actions.
Create a key in the dashboard
- Sign in to the Paradarum panel and open Account Settings → API Keys.
- Open the new key form and enter a friendly Name that identifies where the key will be used, for example
WordPress purge plugin. - Click Generate.
- The panel shows the raw key (
pdm_...) exactly once, with a copy-to-clipboard button. Copy it now and store it securely. - After you dismiss the dialog, only the 8-character prefix (for example
pdm_AbCd), the name, the created date, the last-used date, and the revoked status are ever shown again.
:::danger Copy the key immediately The full key is displayed only once. The server keeps only its SHA-256 hash and the 8-character prefix, so it can never show you the raw value again. If you lose it, revoke that key and generate a new one. :::
:::info Limit: 10 active keys per account
An account may hold at most 10 active (non-revoked) keys. Attempting to generate an 11th returns 400. Revoke keys you no longer use to free a slot.
:::
Manage keys via the API
The same actions are available programmatically. These management endpoints are typically called with a panel-issued Bearer JWT.
| Action | Endpoint |
|---|---|
| Create a key | POST /api/account/apikeys |
| List keys | GET /api/account/apikeys |
| Revoke a key | DELETE /api/account/apikeys/{id} |
Create
curl -X POST https://api.paradarum.com/api/account/apikeys \
-H "Authorization: Bearer YOUR_JWT" \
-H "Content-Type: application/json" \
-d '{ "name": "WordPress purge plugin" }'
The 201 response carries the raw key once, in data.key:
{
"succeeded": true,
"message": "...",
"data": {
"id": 12,
"name": "WordPress purge plugin",
"key": "pdm_XXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"keyPrefix": "pdm_XXXX",
"createdAt": "..."
}
}
List
curl https://api.paradarum.com/api/account/apikeys \
-H "Authorization: Bearer YOUR_JWT"
The list is ordered newest first and never includes the raw key. Each entry carries id, name, keyPrefix, createdAt, lastUsedAt, and isRevoked.
Revoke
curl -X DELETE https://api.paradarum.com/api/account/apikeys/12 \
-H "Authorization: Bearer YOUR_JWT"
| Result | Meaning |
|---|---|
200 | Key revoked (soft delete) |
404 | No key with that ID |
400 | Key was already revoked |
:::warning Revocation is irreversible
Revoking a key is a soft, permanent delete — there is no way to reactivate it. Any integration still using that key will start failing with 401 immediately. Have its replacement ready before you revoke.
:::
Best practices
- One key per integration. Give each plugin, script, or environment its own named key so you can revoke one without breaking the others, and so
lastUsedAttells you what is still in use. - Name keys descriptively. Use the name to record where the key lives (for example
Production WordPressvsStaging WordPress). - Store keys in a secrets manager. A key grants full account access and never expires on its own — treat it like a password, never commit it to source control.
- Revoke unused keys. Audit the list periodically and revoke anything you no longer recognize or use; this also keeps you under the 10-key limit.
:::tip No granular scopes A key grants full account-level access to all account-scoped endpoints — there are no per-endpoint permissions. Keep the blast radius small by issuing a dedicated key per integration and revoking promptly. :::
Related pages
- Authentication — how to send a key on each request.
- Purging cache — the most common use of an automation key.