> ## Documentation Index
> Fetch the complete documentation index at: https://docs.surfacd.com/llms.txt
> Use this file to discover all available pages before exploring further.

# API Keys

> Create and manage API keys for your team's scripts, curl commands, or integrations.

<Note>
  Beta functionality: reach out to support to express interest in our API and MCP servers. Beta users can also browse the [API Reference](/api-reference).
</Note>

API keys let trusted scripts, terminals, and integrations call the Surfacd API for a specific team. Create each key from the team that owns the data you want to access.

## Create a key

1. Open the team you want the key to access.
2. Go to **Team Settings** > **API Keys**.
3. Enter a name for the key, something that reminds you where you'll use it, like *Local script* or *Vercel integration*.
4. Click **Create Key**.

A dialog will appear showing the key once. **Copy it now** and store it somewhere safe. For your security, we can't show it to you again. If you lose a key, revoke it and create a new one.

## Use a key

Send the key as a `Bearer` token in the `Authorization` header, and call the API on `app.surfacd.com` or the team's own URL.

```bash theme={null}
curl 'https://app.surfacd.com/api/v1/team' \
  -H 'Authorization: Bearer YOUR_API_KEY' \
  -H 'Accept: application/json'
```

A few things to know:

* **Keys belong to teams.** Create a separate key for each team or integration that needs API access.
* **The key selects the team.** Team-level endpoints do not need a team UUID. Project-scoped endpoints use project UUIDs from the same team.
* **Treat keys as team-level access.** Store them only in trusted systems and revoke keys that are no longer needed.

## Revoke a key

You can revoke any key from **Team Settings** > **API Keys**. Click **Revoke** next to the key. Calls using that key stop working immediately.

If a key may have been exposed (committed to a repo, pasted in a chat, etc.), revoke it straight away and create a new one.

## Security tips

* Treat keys like passwords. Don't share them, paste them in chats, or commit them to source control.
* Use a separate, named key per integration so you can revoke just that one if something goes wrong.
* Prefer environment variables or a secret manager over hardcoding keys.
* Rotate keys periodically: revoke old ones and create a fresh one.
