> ## Documentation Index
> Fetch the complete documentation index at: https://docs.myme.so/llms.txt
> Use this file to discover all available pages before exploring further.

# Create an API key

> Creates a new API key in the caller's tenant. The plaintext `key` field is returned **once** in the response — the server never shows it again. Store it securely; rotating means revoking the old key and creating a new one.

`role` controls scope: `admin` bypasses every permission check; `tenant_admin` is the admin tier within a tenant; `member` is scoped by the three permission maps (`type_permissions`, `extension_permissions`, `edge_permissions`) plus `metadata_permissions`. `source` is stamped onto every item written by the key and is unique per tenant. `default_tier` stamps `library` or `feed` when the writing client omits a tier.

In bootstrap mode (zero keys exist on a fresh server), no auth is required and the minted key is always admin. Once any key exists, bootstrap mode disables — further key creation requires an admin or tenant_admin token. See [Permissions](/api/permissions) for the permission-map grammar.



## OpenAPI

````yaml /openapi.json post /keys
openapi: 3.1.0
info:
  title: Marfa API
  version: 4.2.0
  description: Typed data layer for structured personal data
servers: []
security: []
paths:
  /keys:
    post:
      tags:
        - Keys
      summary: Create an API key
      description: >-
        Creates a new API key in the caller's tenant. The plaintext `key` field
        is returned **once** in the response — the server never shows it again.
        Store it securely; rotating means revoking the old key and creating a
        new one.


        `role` controls scope: `admin` bypasses every permission check;
        `tenant_admin` is the admin tier within a tenant; `member` is scoped by
        the three permission maps (`type_permissions`, `extension_permissions`,
        `edge_permissions`) plus `metadata_permissions`. `source` is stamped
        onto every item written by the key and is unique per tenant.
        `default_tier` stamps `library` or `feed` when the writing client omits
        a tier.


        In bootstrap mode (zero keys exist on a fresh server), no auth is
        required and the minted key is always admin. Once any key exists,
        bootstrap mode disables — further key creation requires an admin or
        tenant_admin token. See [Permissions](/api/permissions) for the
        permission-map grammar.
      requestBody:
        content:
          application/json:
            schema:
              type: object
              properties:
                label:
                  type: string
                  minLength: 1
                source:
                  type: string
                  minLength: 1
                  maxLength: 200
                role:
                  type: string
                  enum:
                    - admin
                    - tenant_admin
                    - member
                default_tier:
                  type: string
                  enum:
                    - library
                    - feed
                is_platform:
                  type: boolean
                type_permissions:
                  type: object
                  additionalProperties:
                    type: string
                    enum:
                      - read
                      - write
                      - none
                extension_permissions:
                  type: object
                  additionalProperties:
                    type: string
                    enum:
                      - read
                      - write
                edge_permissions:
                  type: object
                  additionalProperties:
                    type: string
                    enum:
                      - read
                      - write
                metadata_permissions:
                  type: object
                  additionalProperties:
                    type: string
                    enum:
                      - read
                      - write
              required:
                - label
                - source
      responses:
        '201':
          description: API key created
          content:
            application/json:
              schema:
                type: object
                properties:
                  id:
                    type: string
                  key:
                    type: string
                  label:
                    type: string
                  source:
                    type: string
                  role:
                    type: string
                    enum:
                      - admin
                      - tenant_admin
                      - member
                  default_tier:
                    type: string
                    enum:
                      - library
                      - feed
                  is_platform:
                    type: boolean
                  type_permissions:
                    type: object
                    additionalProperties:
                      type: string
                      enum:
                        - read
                        - write
                        - none
                  extension_permissions:
                    type: object
                    additionalProperties:
                      type: string
                      enum:
                        - read
                        - write
                  edge_permissions:
                    type: object
                    additionalProperties:
                      type: string
                      enum:
                        - read
                        - write
                  metadata_permissions:
                    type: object
                    additionalProperties:
                      type: string
                      enum:
                        - read
                        - write
                  created_at:
                    type: string
                  last_used_at:
                    type: string
                    nullable: true
                required:
                  - id
                  - key
                  - label
                  - source
                  - role
                  - default_tier
                  - is_platform
                  - type_permissions
                  - created_at
                  - last_used_at
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                type: object
                properties:
                  error:
                    type: object
                    properties:
                      code:
                        type: string
                        enum:
                          - unauthorized
                      message:
                        type: string
                      details:
                        type: object
                        additionalProperties:
                          nullable: true
                    required:
                      - code
                      - message
                required:
                  - error
      security:
        - bearerAuth: []
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: API Key or OAuth Token
      description: Pass an API key (marfa_k1_...) or OAuth access token (marfa_at_...)

````