> ## Documentation Index
> Fetch the complete documentation index at: https://docs.outkit.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# API Keys

> Create, rotate, and revoke API keys from the terminal

Every API key is bound to a single Outkit profile at creation time. The CLI surfaces the
full lifecycle.

## Create

```bash theme={null}
outkit keys create -n "dev key"
```

What it does:

* Creates a new key under the active profile (from `outkit.json`).
* Shows the **plaintext key exactly once** — it's never shown again, never logged, and only
  the SHA-256 hash lives in our database.
* Offers to append `OUTKIT_API_KEY=…` to `.env.local` (or your project's env file).

Use `--profile <id>` to bind to a different profile without switching the active one:

```bash theme={null}
outkit keys create -n "production" --profile <profileId>
```

## List

```bash theme={null}
outkit keys list           # active keys for the active profile
outkit keys list --all     # include revoked keys
outkit keys list --profile <profileId>
```

The list shows the masked key (first 8 chars + ••••••••), name, environment, last-used time,
and status.

## Stats

```bash theme={null}
outkit keys stats <keyId>
```

Renders served, error rate, last-used time, and current rate-limit headroom.

## Rotate

```bash theme={null}
outkit keys rotate <keyId>
```

Generates a new plaintext key (shown once) and starts a **24-hour grace window** during which
both the old and new keys are accepted. After 24 hours the old key is revoked automatically.

## Revoke

```bash theme={null}
outkit keys revoke <keyId>
```

Immediately invalidates the key everywhere. Renderer requests using a revoked key get `401`
on the next call. Use `-y` to skip the confirmation prompt.

## Storage rules

* Plaintext keys are shown in your terminal exactly once at creation/rotation. Save them
  immediately. There is no way to recover a key after the screen scrolls.
* Never commit a key. The CLI's env-file write helper appends to `.env.local` (gitignored by
  most frameworks).
* The CLI **never** stores a plaintext key on disk.

## Next Steps

<CardGroup cols={2}>
  <Card title="Use the key in your app" icon="code" href="/docs/sdk/react">
    Wire `OUTKIT_API_KEY` into your backend proxy.
  </Card>

  <Card title="Tail render logs" icon="terminal" href="/docs/cli/dev">
    `outkit logs tail` streams new render events as they happen.
  </Card>
</CardGroup>