API keys

Long-lived credentials for the Public API — creation, the one-time reveal, revocation, rotation, and scope.

Not verified yet

API keys are how your application authenticates to the read-only Public API for fetching translations. They are separate from user sessions: the dashboard and the CLI authenticate as you; API keys authenticate as your app, don't expire, and survive people leaving the team.

They live in LangSyncAPI keys — one list per organization.

Create a key

  1. Click Create API key.
  2. Name it after where it will live — production-web, ci-pipeline, dev-laptop. The name is purely for your records; it grants nothing.
  3. Create it. A dialog shows the full key value exactly once — copy it now. From then on, the list shows only a short preview of the key's first characters.

LangSync stores only a hash of the key, which is why it can never show you the value again. Lost the value? Create a new key and revoke the old one — there's no recovery.

Store keys in an environment variable or a secret manager. Never commit them to a repository — anyone with the key can read every translation in your organization.

Use a key

Authorization: Apikey <your-api-key>

Bearer <your-api-key> is also accepted, for HTTP clients that hard-code the scheme. See Fetch translations for the endpoints.

The keys list

For each key you see its status (Active or Revoked), creation date, and Last used at — the timestamp of its most recent request. Last-used is the load-bearing column: it's how you find dead keys and how you verify a rotation actually completed.

Revoke a key

Use the row's delete action and confirm. Revocation is immediate: the very next request with that key gets 401 UNAUTHORIZED. There is no grace period, so revoke after the replacement key is deployed.

Revoked keys stay in the list, marked Revoked — the UI says it directly: "Revoked keys remain visible for auditing but can no longer authenticate requests." Both creation and revocation are recorded in the audit log (apikey.created / apikey.deleted).

Rotation

Nothing forces rotation, but the safe sequence is cheap:

  1. Create the new key and deploy it everywhere the old one was used.
  2. Watch the old key's Last used at until it stops moving.
  3. Revoke the old key.

Scope

Keys are organization-scoped: any key can read translations from every namespace in the organization. There are no per-namespace or per-language scopes. If two projects must not be able to read each other's strings, put them in separate organizations.

Keys are also read-only by design — the Public API has no mutating endpoints, so a leaked key exposes translations but can't change or delete anything.

On this page