API keys let you authenticate programmatically — for CI/CD pipelines, automation scripts, or AI agents. Each key is scoped to a workspace and can be full-access or read-only.
moss key list
List API keys for the current workspace. Requires owner role.
| Option | Required | Description |
|---|
--page <n> | No | Page number |
--per-page <n> | No | Items per page |
API key values are only shown once at creation time. The list shows key metadata (name, scope, prefix) but not the full key.
moss key create
Create a new API key. Requires owner role.
moss key create --name "ci-deploy" --scope full
| Option | Required | Description |
|---|
--name <name> | Yes | Human-readable name for the key |
--scope <scope> | No | Scope: full (default) or read_only |
moss key create --name "ci-deploy" --json
{
"data": {
"id": "key_abc123",
"name": "ci-deploy",
"key": "moss_k_abc123...",
"scope": "full",
"created_at": "2026-02-08T12:00:00Z"
}
}
moss key revoke
Revoke an API key. Requires owner role. This immediately invalidates the key.
moss key revoke --id key_abc123 --confirm
| Option | Required | Description |
|---|
--id <id> | Yes | Key ID |
--confirm | Yes | Confirm revocation (required for destructive operations) |
Revoking a key immediately invalidates it. Any automation using this key will stop working.
