These endpoints are enterprise-only . Your API key must belong to an enterprise-tier organization, and you must be an admin or owner of that organization to use them. No global admin key is required.
Need help setting up enterprise keys? Book a 15-minute call and we’ll get your team configured.
Enterprise org admins can create, list, and revoke API keys for members of their organization using these three endpoints. The caller’s identity and org are derived from the API key in the Authorization header.
Create a key for an org member Creates an API key for a user (by email), adding them to the organization if they aren’t already a member.
curl -X POST https://api.raysurfer.com/api/keys/org/create \ -H "Authorization: Bearer $RAYSURFER_API_KEY " \ -H "Content-Type: application/json" \ -d '{ "email": "[email protected] ", "key_name": "Dev laptop", "role": "member" }'
Field Type Default Description emailstring required Email of the target user key_namestring required Display name for the key rolestring "member""member" or "admin" — only org owners can assign "admin"
Response: { "id" : "a1b2c3d4-..." , "name" : "Dev laptop" , "key" : "rs_live_abc123..." , "key_prefix" : "rs_live_abc123456789" , "user_email" : "[email protected] " , "organization_id" : "org-uuid-..." , "organization_name" : "Acme Corp" , "is_new_member" : true , "created_at" : "2025-06-01T12:00:00Z" }
The full API key is only returned once at creation time. Store it securely — it cannot be retrieved again.
Rate limit: 20 requests/minuteList all keys in the org Returns all active (non-revoked) API keys in the caller’s organization, including the key prefix, user email, and timestamps.
curl -X POST https://api.raysurfer.com/api/keys/org/list \ -H "Authorization: Bearer $RAYSURFER_API_KEY " \ -H "Content-Type: application/json"
No request body is needed — the org is derived from the caller’s API key.
Response: { "keys" : [ { "id" : "a1b2c3d4-..." , "name" : "Dev laptop" , "key_prefix" : "rs_live_abc123456789" , "user_email" : "[email protected] " , "user_id" : "user-uuid-..." , "created_at" : "2025-06-01T12:00:00Z" , "last_used_at" : "2025-06-10T09:30:00Z" } ], "organization_id" : "org-uuid-..." }
Rate limit: 30 requests/minuteRevoke a key Revokes an API key by ID. The key must belong to the caller’s organization — you cannot revoke keys from other orgs.
curl -X POST https://api.raysurfer.com/api/keys/org/revoke \ -H "Authorization: Bearer $RAYSURFER_API_KEY " \ -H "Content-Type: application/json" \ -d '{ "key_id": "a1b2c3d4-..." }'
Field Type Description key_idstring UUID of the key to revoke
Response: { "success" : true , "key_id" : "a1b2c3d4-..." }
Returns 404 if the key is not found, already revoked, or belongs to a different organization.
Rate limit: 10 requests/minuteError codes Status Code Meaning 401 auth/missing_api_keyNo API key provided 401 auth/invalid_api_keyKey is invalid or revoked 403 permission/not_org_memberCaller’s key is not linked to an org 403 permission/enterprise_requiredOrg is not on the enterprise tier 403 permission/admin_key_requiredCaller is not an admin/owner of the org 403 permission/only_owner_can_promoteOnly owners can assign the admin role 400 validation/member_limit_reachedOrg has hit its member cap 404 not_found/api_keyKey not found or already revoked
