API Keys
Programmatic access for server-to-server integrations.
Key Format
MediaKit API keys follow the format:
text
mk_live_a1b2c3d4e5f6g7h8i9j0...The mk_live_ prefix makes keys easily identifiable in logs and code reviews.
Create a Key
Via Admin Panel
- Go to API Keys in sidebar
- Click Create
- Name your key and select scopes
- Copy the full key immediately — it's shown only once
Via API
bash
curl -X POST /api/keys \
-H "Authorization: Bearer JWT_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "Production Backend",
"scopes": ["read:assets", "write:assets", "read:analytics"]
}'Response (key shown only once)
{
"data": {
"id": 1,
"name": "Production Backend",
"key": "mk_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
"key_prefix": "mk_live_a1b2c3",
"scopes": ["read:assets", "write:assets", "read:analytics"],
"is_active": true
}
}Available Scopes
| Scope | Allows |
|---|---|
| read:assets | List and view assets, playback info |
| write:assets | Upload, update, delete assets |
| read:analytics | View analytics data and summaries |
Using API Keys
Pass the key in the X-API-Key header:
bash
# List all assets
curl /api/assets \
-H "X-API-Key: mk_live_a1b2c3..."
# Upload a video
curl -X POST /api/mediakit/uploads/presign \
-H "X-API-Key: mk_live_a1b2c3..." \
-H "Content-Type: application/json" \
-d '{"filename": "video.mp4", "content_type": "video/mp4", "file_size": 1048576}'
# Get analytics
curl /api/analytics/summary \
-H "X-API-Key: mk_live_a1b2c3..."Revoke a Key
bash
curl -X DELETE /api/keys/1 \
-H "Authorization: Bearer JWT_TOKEN"Revoked keys are immediately invalidated. Any requests using the key will return 401 Unauthorized.
Security Best Practices
- Never expose API keys in client-side code — use them server-side only
- Use the minimum required scopes for each key
- Rotate keys periodically by creating new ones and revoking old ones
- Store keys in environment variables, not in code
- Use
read:assetsscope for public-facing endpoints that only need to fetch playback URLs