API keys
Long-lived credentials for the Public API — creation, the one-time reveal, revocation, rotation, and scope.
API keys are how your application authenticates to the read-only Public API for fetching translations. They are separate from user sessions: the dashboard and the CLI authenticate as you; API keys authenticate as your app, don't expire, and survive people leaving the team.
They live in LangSync → API keys — one list per organization.
Create a key
- Click Create API key.
- Name it after where it will live —
production-web,ci-pipeline,dev-laptop. The name is purely for your records; it grants nothing. - Create it. A dialog shows the full key value exactly once — copy it now. From then on, the list shows only a short preview of the key's first characters.
LangSync stores only a hash of the key, which is why it can never show you the value again. Lost the value? Create a new key and revoke the old one — there's no recovery.
Store keys in an environment variable or a secret manager. Never commit them to a repository — anyone with the key can read every translation in your organization.
Use a key
Authorization: Apikey <your-api-key>Bearer <your-api-key> is also accepted, for HTTP clients that
hard-code the scheme. See
Fetch translations for the
endpoints.
The keys list
For each key you see its status (Active or Revoked), creation date, and Last used at — the timestamp of its most recent request. Last-used is the load-bearing column: it's how you find dead keys and how you verify a rotation actually completed.
Revoke a key
Use the row's delete action and confirm. Revocation is immediate:
the very next request with that key gets 401 UNAUTHORIZED. There is
no grace period, so revoke after the replacement key is deployed.
Revoked keys stay in the list, marked Revoked — the UI says it
directly: "Revoked keys remain visible for auditing but can no longer
authenticate requests." Both creation and revocation are recorded in
the audit log (apikey.created /
apikey.deleted).
Rotation
Nothing forces rotation, but the safe sequence is cheap:
- Create the new key and deploy it everywhere the old one was used.
- Watch the old key's Last used at until it stops moving.
- Revoke the old key.
Scope
Keys are organization-scoped: any key can read translations from every namespace in the organization. There are no per-namespace or per-language scopes. If two projects must not be able to read each other's strings, put them in separate organizations.
Keys are also read-only by design — the Public API has no mutating endpoints, so a leaked key exposes translations but can't change or delete anything.
Related
- Fetch translations — using the key from your app.
- Public API — the full surface a key can reach.