---
title: API Keys
description: How authenticated keys are created, used, and revoked.
type: guide
summary: Google sign-in, D1-backed key storage, and bearer-token use.
related:
  - /en/docs/quickstart
  - /en/docs/client-setup
  - /en/docs/rest
  - /en/docs/errors
---

# API Keys



API keys are managed from the production web account page:

```txt
https://aiworkflowmcp.com/en/account/api-keys/
```

## Sign-In Flow [#sign-in-flow]

Sign in with Google/Gmail or email through production Clerk. The account page is protected by Clerk middleware and redirects unauthenticated users to:

```txt
https://aiworkflowmcp.com/en/sign-in/
```

The protected account route is:

```txt
/:locale/account/*
```

The API key page is the default account destination. Opening `https://aiworkflowmcp.com/en/account/` redirects to the API key manager.

## Create A Key [#create-a-key]

1. Open `https://aiworkflowmcp.com/en/account/api-keys/`.
2. Enter a short name such as `Local Claude Code`, `CI smoke`, or `Production app`.
3. Click `Create key`.
4. Copy the returned secret immediately.

Keys use the `ak_` prefix. The full value is displayed once and cannot be recovered later.

## Storage [#storage]

Keys are generated once and displayed once. The full secret is never stored after creation. D1 stores the key hash, prefix, user id, tier, creation time, last-used time, and revocation time.

The web account page shows active and revoked keys with:

* key name
* key prefix
* tier
* creation time
* last-used time
* revoked state
* 30-day usage count

## Request Headers [#request-headers]

Preferred form:

```bash
curl -fsS \
  -H "Authorization: Bearer ${AIWORKFLOWMCP_API_KEY}" \
  "https://mcp.aiworkflowmcp.com/v1/models/list?limit=1"
```

You can also send the key as `x-api-key`, but `Authorization: Bearer ...` is the preferred form.

Fallback form:

```bash
curl -fsS \
  -H "x-api-key: ${AIWORKFLOWMCP_API_KEY}" \
  "https://mcp.aiworkflowmcp.com/v1/tools/list?limit=3"
```

## Quotas And Usage [#quotas-and-usage]

Public calls are rate-limited by IP. Authenticated calls are rate-limited by API key and receive higher per-minute routing.

Current production health exposes:

```txt
public limit: 120 requests/minute
authenticated limit: 600 requests/minute
```

The account page calculates 30-day call count from `usage_log`. Usage is recorded for authenticated REST and MCP requests after the Worker responds.

## Revocation [#revocation]

Revoked keys return:

```txt
401 invalid API key
```

The account page keeps revoked keys visible with prefix, creation time, last-used time, and 30-day call count so users can audit their own usage.

## Auth Failures [#auth-failures]

Wrong prefix:

```json
{
  "error": "invalid API key",
  "hint": "Use Authorization: Bearer ak_..."
}
```

Unknown, revoked, or deleted key:

```json
{
  "error": "invalid API key"
}
```

Expired key:

```json
{
  "error": "expired API key"
}
```

All authentication failures return `401` and `cache-control: no-store`.


---

For a semantic overview of all documentation, see [/en/sitemap.md](/en/sitemap.md)

For an index of all available documentation, see [/en/llms.txt](/en/llms.txt)