API Keys
API keys provide programmatic access to the Roundtable API. Each key is scoped to a specific user and organization, enabling automation, CI/CD integrations, and custom tooling.
What API Keys Are
- Per-user: Each API key is tied to the user who created it. Actions performed with the key are attributed to that user.
- Scoped to org: Keys operate within the context of your organization. They cannot access resources in other organizations.
- Independent of sessions: Unlike browser-based authentication, API keys don't expire with your login session — they remain valid until explicitly revoked.
Creating an API Key
- Navigate to Organization Settings → API Keys.
- Click Create API Key.
- Enter a name for the key (e.g., "CI/CD Pipeline", "Monitoring Script").
- Click Generate.
- Copy the key immediately — it will only be shown once in full.
:::danger Copy Your Key Now The full API key is displayed only at creation time. After you close the dialog, only a masked preview is shown. If you lose the key, you'll need to create a new one. :::
Key Preview
After creation, API keys are displayed in a masked format in the dashboard:
rt_sk_****************************a1b2
Only the last 4 characters are visible. This lets you identify which key is which without exposing the full value.
Revoking Keys
To revoke an API key:
- Navigate to Organization Settings → API Keys.
- Find the key in the list.
- Click Revoke.
- Confirm the revocation.
What happens when you revoke a key:
- The key is immediately invalidated.
- Any in-flight API requests using the key will fail.
- The revocation is logged in the Audit Log.
- The action is permanent — revoked keys cannot be restored.
:::tip Regular Rotation Rotate API keys periodically as a security best practice. Create a new key, update your integrations, then revoke the old key. :::
How Keys Are Stored
Roundtable encrypts all API keys at rest using AES-256-GCM encryption:
- Keys are encrypted before being written to the database.
- The encryption key is managed separately from the application database.
- Even in the event of a database breach, stored keys are not usable without the encryption key.
- Masked previews are stored as a separate, non-reversible field.
Using Keys for API Access
Include your API key as a Bearer token in the Authorization header of your HTTP requests:
curl -X GET https://roundtable.foxtrotcommunications.net/api/v1/workspaces \
-H "Authorization: Bearer rt_sk_your_api_key_here" \
-H "Content-Type: application/json"
Example: List Workspaces
curl -s https://roundtable.foxtrotcommunications.net/api/v1/workspaces \
-H "Authorization: Bearer rt_sk_your_api_key_here" | jq
{
"workspaces": [
{
"id": "ws_abc123",
"name": "Engineering",
"provider": "anthropic",
"model": "claude-sonnet-4-20250514",
"status": "running"
}
]
}
Example: Create a Workspace
curl -X POST https://roundtable.foxtrotcommunications.net/api/v1/workspaces \
-H "Authorization: Bearer rt_sk_your_api_key_here" \
-H "Content-Type: application/json" \
-d '{
"name": "Analytics",
"provider": "vertex_ai",
"model": "gemini-2.5-pro"
}'
:::warning Key Permissions API keys inherit the permissions of the user who created them. If a Member creates a key, the key has Member-level access. If an Admin creates a key, the key has Admin-level access. :::