Concepts
An API key is a long-lived credential that authenticates machine-to-machine requests as a Bearer token. Workers, CI pipelines, and service integrations use API keys to access Mobius instead of interactive login. Each key carries an explicit set of permissions and can be scoped to the whole organization or pinned to a single project.
The model
Each API key has:
- A scope —
orgkeys authenticate against any project in the organization. Project-pinned keys carry aproject_idand are restricted to that project, regardless of any broader permissions the caller holds. - A permissions array — an explicit list of what the key may do. The creating caller cannot grant permissions they do not themselves hold.
- A key prefix — the first 8 characters of the raw key, retained for identification. The full key is returned once at creation time and is never retrievable again.
- An optional service account — associates the key with a service account for attribution and quota tracking.
- An optional expiry — an
expires_attimestamp. Requests using an expired key receive401.
Creating a project-pinned key
curl -X POST "${MOBIUS_API_URL}/v1/api-keys" \
-H "Authorization: Bearer ${MOBIUS_API_KEY}" \
-H "Content-Type: application/json" \
-d '{
"name": "worker-prod",
"project_id": "prj_acme123",
"permissions": ["mobius.job.claim"],
"expires_at": "2027-01-01T00:00:00Z"
}'Mobius returns the raw key in the key field of the response — the only time it appears. Store it before discarding the response. Subsequent reads return only the key_prefix for identification.
Lifecycle
A key passes through three states:
| State | Entered when | Left when |
|---|---|---|
| Active | Key is created | Key expires or is revoked |
| Expired | expires_at timestamp is reached | Key is revoked |
| Revoked | Key is deleted via the API | Never — revocation is permanent |
Requests using an expired or revoked key immediately receive 401.
Where you see it
- Dashboard — Projects → <project> → API Keys lists all project-pinned keys with their prefix, last-used timestamp, and associated actor.
- API — the API Keys tag group covers creation, listing, retrieval, and revocation for both org-scoped and project-pinned keys.
See also
- Service accounts — associate a key with a service account for attribution and quota tracking.
- Workflows — workers use API keys to claim jobs created by workflow steps.