API & automation
API keys
Org-scoped bearer keys (pak_…) for the REST API and MCP server, with scopes and an optional MCP tool allowlist.
API keys authenticate non-browser callers — CI, scripts, agents. A key belongs to one organization and carries that org’s scope on every call.
Create a key
Section titled “Create a key”From Deploy keys in the console, or the API. The plaintext token is shown once — only its SHA-256 hash is stored, so copy it immediately.
curl -X POST https://cloud.backlex.com/api/org/<org>/api-keys \ -H "Authorization: Bearer pak_..." \ -H "Content-Type: application/json" \ -d '{"name":"ci","scope":"deploy","expiresInDays":90}'The token is prefixed pak_. Use it as a bearer token:
curl https://cloud.backlex.com/api/org/<org>/projects \ -H "Authorization: Bearer pak_..."Scopes
Section titled “Scopes”| Scope | Can do |
|---|---|
read-only | Read endpoints + read-only MCP tools |
deploy | Read + project lifecycle (create, deploy, branches, backups) |
full | Everything the key’s org role allows |
Options
Section titled “Options”expiresInDays— optional TTL; the key stops working after it lapses.mcpTools— an optional allowlist (max 64) pinning the key to a subset of MCP tools. Aread-onlykey can never call write tools, regardless of the allowlist.
Revoke
Section titled “Revoke”Revoking a key takes effect immediately:
curl -X DELETE https://cloud.backlex.com/api/org/<org>/api-keys/<id> \ -H "Authorization: Bearer pak_..."Creating and revoking keys requires the admin role.