Skip to main content
These endpoints are enterprise-only. Your API key must belong to an enterprise-tier organization, and you must be an admin or owner of that organization to use them. No global admin key is required.
Enterprise org admins can create, list, and revoke API keys for members of their organization using these three endpoints. The caller’s identity and org are derived from the API key in the Authorization header.

Create a key for an org member

Creates an API key for a user (by email), adding them to the organization if they aren’t already a member. 
curl -X POST https://api.raysurfer.com/api/keys/org/create \
  -H "Authorization: Bearer $RAYSURFER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "dev@example.com",
    "key_name": "Dev laptop",
    "role": "member"
  }'
FieldTypeDefaultDescription
emailstringrequiredEmail of the target user
key_namestringrequiredDisplay name for the key
rolestring"member""member" or "admin" — only org owners can assign "admin"
Response: 
{
  "id": "a1b2c3d4-...",
  "name": "Dev laptop",
  "key": "rs_live_abc123...",
  "key_prefix": "rs_live_abc123456789",
  "user_email": "dev@example.com",
  "organization_id": "org-uuid-...",
  "organization_name": "Acme Corp",
  "is_new_member": true,
  "created_at": "2025-06-01T12:00:00Z"
}
The full API key is only returned once at creation time. Store it securely — it cannot be retrieved again.
Rate limit: 20 requests/minute

List all keys in the org

Returns all active (non-revoked) API keys in the caller’s organization, including the key prefix, user email, and timestamps. 
curl -X POST https://api.raysurfer.com/api/keys/org/list \
  -H "Authorization: Bearer $RAYSURFER_API_KEY" \
  -H "Content-Type: application/json"
No request body is needed — the org is derived from the caller’s API key. Response: 
{
  "keys": [
    {
      "id": "a1b2c3d4-...",
      "name": "Dev laptop",
      "key_prefix": "rs_live_abc123456789",
      "user_email": "dev@example.com",
      "user_id": "user-uuid-...",
      "created_at": "2025-06-01T12:00:00Z",
      "last_used_at": "2025-06-10T09:30:00Z"
    }
  ],
  "organization_id": "org-uuid-..."
}
Rate limit: 30 requests/minute

Revoke a key

Revokes an API key by ID. The key must belong to the caller’s organization — you cannot revoke keys from other orgs. 
curl -X POST https://api.raysurfer.com/api/keys/org/revoke \
  -H "Authorization: Bearer $RAYSURFER_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "key_id": "a1b2c3d4-..."
  }'
FieldTypeDescription
key_idstringUUID of the key to revoke
Response: 
{
  "success": true,
  "key_id": "a1b2c3d4-..."
}
Returns 404 if the key is not found, already revoked, or belongs to a different organization. Rate limit: 10 requests/minute

Error codes

StatusCodeMeaning
401auth/missing_api_keyNo API key provided
401auth/invalid_api_keyKey is invalid or revoked
403permission/not_org_memberCaller’s key is not linked to an org
403permission/enterprise_requiredOrg is not on the enterprise tier
403permission/admin_key_requiredCaller is not an admin/owner of the org
403permission/only_owner_can_promoteOnly owners can assign the admin role
400validation/member_limit_reachedOrg has hit its member cap
404not_found/api_keyKey not found or already revoked