Create new API key
/api/v1/auth/api-keyX-API-KeyGenerate a new API key for a platform. Requires an existing admin-scoped API key. The new API key is only shown once.
Request body
- namestringrequired
Platform name (3-100 characters)
- webhookUrlstring
Webhook URL for receiving event notifications (must be HTTPS in production)
settingsobject
Additional platform settings
objectAdditional platform settings
scopesarray of enum
API scopes to grant to this key. If not provided, defaults to read-only scopes.
array of enumenum"read:transactions" · "write:transactions" · "cancel:transactions" · "rescind:transactions" · "read:customers" · "write:customers" · "read:templates" · "write:templates" · "read:disputes" · "write:disputes" · "submit:evidence" · "read:webhooks" · "write:webhooks" · "read:compliance" · "write:compliance" · "read:platform" · "write:platform" · "manage:api-keys" · "admin:platform"
Responses
201API key created successfully
- apiKeystringrequired
The generated API key (only shown once)
- platformIdstringrequired
Platform ID
- platformNamestringrequired
Platform name
scopesarray of enumrequired
API scopes granted to this key
array of enumenum"read:transactions" · "write:transactions" · "cancel:transactions" · "rescind:transactions" · "read:customers" · "write:customers" · "read:templates" · "write:templates" · "read:disputes" · "write:disputes" · "submit:evidence" · "read:webhooks" · "write:webhooks" · "read:compliance" · "write:compliance" · "read:platform" · "write:platform" · "manage:api-keys" · "admin:platform"- createdAtstring (date-time)required
Creation timestamp
- warningstringrequired
Important security warning
{
"apiKey": "cbx_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6",
"platformId": "string",
"platformName": "string",
"scopes": [
"read:transactions",
"write:transactions",
"read:customers"
],
"createdAt": "2026-01-15T12:00:00.000Z",
"warning": "Store this API key securely. It will not be shown again."
}400Bad request
Response follows the unified success / data / meta / error envelope.
401Missing or invalid API key
Response follows the unified success / data / meta / error envelope.
403Caller lacks admin:platform scope
Response follows the unified success / data / meta / error envelope.
curl -X POST https://api-staging.coinbax.com/api/v1/auth/api-key \
-H "X-API-Key: $COINBAX_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"name": "My Marketplace",
"webhookUrl": "https://myapp.com/webhooks/coinbax",
"settings": {
"theme": "dark",
"notifications": true
},
"scopes": [
"read:transactions",
"write:transactions",
"read:customers"
]
}'const response = await fetch('https://api-staging.coinbax.com/api/v1/auth/api-key', {
method: 'POST',
headers: {
'X-API-Key': process.env.COINBAX_API_KEY,
'Content-Type': 'application/json',
},
body: JSON.stringify({
"name": "My Marketplace",
"webhookUrl": "https://myapp.com/webhooks/coinbax",
"settings": {
"theme": "dark",
"notifications": true
},
"scopes": [
"read:transactions",
"write:transactions",
"read:customers"
]
}),
});
const result = await response.json();