Skip to main content
API keys (sk_live_...) are the primary credential for the ThunderPhone REST API. They are secret — treat them like a password. Each key is bound to exactly one organization; when an API call authenticates with a key, we look up the bound org automatically, which is why the rest of this reference never asks for an org id in the URL path. This page documents the endpoints for creating, listing, and revoking keys — the same operations the dashboard exposes at Settings → Keys. You can create your first key from the dashboard without ever using this API.

Endpoints

MethodPathRequired roleDescription
GET/v1/developer/api-keysadmin+List API keys
POST/v1/developer/api-keysadmin+Create a new API key
DELETE/v1/developer/api-keys/{key_id}admin+Revoke an API key
These endpoints require an admin or owner role. You can use them with an existing API key (if its creator has admin+ permissions) to rotate keys programmatically.

API key object

{
  "id": "b1c2d3e4-...",
  "name": "production",
  "key_prefix": "sk_live_abcde12",
  "is_active": true,
  "created_at": "2026-04-20T18:24:10.113Z",
  "last_used_at": "2026-04-20T18:25:06.201Z",
  "revoked_at": null
}
FieldTypeDescription
idUUIDPublic id used by the revoke endpoint
namestringDisplay label
key_prefixstringFirst 15 chars of the raw key for UI display (always sk_live_ + 7 hex chars). The full key is NOT returned after creation
is_activebooleanfalse once the key is revoked
created_attimestamp
last_used_attimestamp | nullUpdated best-effort on every successful request
revoked_attimestamp | nullIf set, the key is revoked and will no longer authenticate

List API keys

curl https://api.thunderphone.com/v1/developer/api-keys \
  -H "Authorization: Bearer sk_live_YOUR_API_KEY"
Returns an array of API key objects — both active and revoked keys, sorted by created_at descending.

Create an API key

curl -X POST https://api.thunderphone.com/v1/developer/api-keys \
  -H "Authorization: Bearer sk_live_YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "production"}'
FieldTypeRequiredDescription
namestringnoDisplay label, 1–120 chars. Defaults to "Default key"
Returns 201 Created with the API key object plus an extra top-level key field containing the raw sk_live_ value: 
{
  "id": "b1c2d3e4-...",
  "name": "production",
  "key_prefix": "sk_live_abcde12",
  "is_active": true,
  "created_at": "2026-04-20T18:24:10.113Z",
  "last_used_at": null,
  "revoked_at": null,
  "key": "sk_live_abcdef1234567890abcdef1234567890abcdef123456"
}
key is returned only once. Store it in your secret manager immediately — if you lose it, revoke it and create a new one. Every subsequent GET returns only the key_prefix.

Revoke an API key

curl -X DELETE https://api.thunderphone.com/v1/developer/api-keys/b1c2d3e4-... \
  -H "Authorization: Bearer sk_live_YOUR_API_KEY"
Returns 204 No Content. Revoked keys are permanently invalidated — all future requests using the key return 401 Unauthorized. You cannot un-revoke; create a new key instead.
You can revoke the key you’re currently using, but do it from a different key or your revoke call will succeed and then your next call will fail.

Authentication

How sk_live_ keys are attached to requests.

Publishable Keys

Public pk_live_ keys for the widget — different lifecycle.