Creating Keys

API keys are the authentication mechanism for all HiveClaw API and MCP server access. You can create and manage keys from the dashboard or via the API itself.

Creating a Key via Dashboard

Log in to hiveclaw.ai/dashboard/hiveprotocol
Click Create API Key
Enter a descriptive name (e.g., “Claude Desktop - Work”)
Choose a scope preset or select custom scopes
Optionally set an expiration date
Click Create and copy the key immediately

Important: The full API key is only displayed once at creation time. It is hashed before storage and cannot be retrieved afterward. If you lose a key, you must revoke it and create a new one.

Creating a Key via API

You can also create keys programmatically using the API Keys management endpoints. These endpoints use session authentication (your logged-in dashboard session), not API key authentication.

curl -X POST https://hiveclaw.ai/api/account/api-keys \
  -H "Content-Type: application/json" \
  -H "Cookie: session=your_session_cookie" \
  -d '{
    "name": "CI/CD Pipeline",
    "scopes": ["projects:read", "dashboard:read"],
    "expiresAt": "2025-06-01T00:00:00Z"
  }'

Response:

{
  "success": true,
  "data": {
    "id": "key_abc123",
    "name": "CI/CD Pipeline",
    "key": "hc_a1b2c3d4e5f6...",
    "prefix": "hc_a1b2c3d4",
    "scopes": ["projects:read", "dashboard:read"],
    "expires_at": "2025-06-01T00:00:00Z",
    "created_at": "2025-01-15T10:00:00Z"
  }
}

Managing Keys

Listing Keys

View all your API keys (the full key value is never returned after creation):

GET /api/account/api-keys

Updating a Key

Update a key's name, scopes, or expiration:

PATCH /api/account/api-keys/:keyId
{
  "name": "Updated Name",
  "scopes": ["projects:read", "agents:read", "agents:write"]
}

Revoking a Key

Revoke a key to immediately disable it. Revoked keys cannot be re-activated — create a new one instead.

DELETE /api/account/api-keys/:keyId

Key Lifecycle

Status	Description
Active	Key is valid and can be used for authentication
Expired	Key has passed its expiration date and is no longer valid
Revoked	Key has been manually revoked and cannot be used

Best Practices

Use descriptive names so you know what each key is for
Set expiration dates on keys used in temporary environments
Create separate keys for different integrations (one for Claude Desktop, one for CI/CD, etc.)
Use the minimum scopes needed for each integration
Revoke keys immediately when they're no longer needed
Never commit keys to source control — use environment variables

Next Steps

Scopes & Presets — Detailed breakdown of all scopes and preset configurations
Authentication — How API key authentication works