Skip to main content
The V3 API Keys endpoints support dashboard-driven key management - listing, creating, and revoking keys from an authenticated dashboard session. Authentication uses a dashboard user JWT (Bearer token), not an X-Api-Key. These endpoints are restricted to Company owners and tools admins.
For the full authentication concept guide - including how scopes work, how to use mTLS, and best practices for key rotation - see Snappy API Authentication: API Keys, Scopes & mTLS.
For programmatic key management from a backend service or CI/CD pipeline (using an existing API key for auth), see the V2 API Keys endpoints. V2 and V3 serve different use cases - V2 for service-to-service automation, V3 for human-operator dashboard flows.

Authentication

V3 API Keys endpoints use a dashboard user JWT in the Authorization header: 
Authorization: Bearer YOUR_JWT
For multi-company users, pass Snappy-Company-Id to select the target Company. Only Company owners and tools admins can call these endpoints - other users will receive 403 Forbidden.

The API Key Object

The V3 response shape never includes the secret value, even on creation responses. Treat the secret as opaque once issued.
FieldTypeDescription
idstringUnique identifier of the API key
namestringDisplay name (unique within the Company)
companyIdstringThe ID of the Company the key belongs to
createdAtstring (ISO 8601)When the key was created
expirationDatestring (ISO 8601)When the key expires. null if the key has no expiration.
enforceMtlsbooleanWhen true, requests with this key must use mTLS
permissionsarrayPermission scopes granted to this key (e.g. gifts:create, orders:read:masked)
accountsAccessobjectAccount scope: { scope: "all-accounts" | "specific-accounts", ids: [] }

Key Concepts

Restricted to owner-level dashboard users

Unlike V2, the V3 endpoints don’t accept an X-Api-Key. Authentication requires a valid dashboard user session token, and the user must be a Company owner or tools admin. Standard dashboard users will receive 403.

Maximum 100 active keys per Company

Companies can have up to 100 active API keys at any time.

Page-number pagination

The List endpoint uses page-number pagination (page[number], page[size]), with the standard V3 links envelope (first, next, prev).

Standard V3 error envelope

Errors follow the standard V3 shape: { message, errorCode, errors[] } with structured error codes (e.g. 403_PBLC_001) and dot-separated paths to field-level errors.

How to Work with API Keys (V3)

List API keys 
GET /v3/authentication/api-keys
Returns a paginated list of the active API keys for your Company. Filter by Account access scope, paginate with page[number] / page[size]. Create an API key 
POST /v3/authentication/api-keys
Creates a new API key. The secret value is returned in this response only. Delete an API key 
DELETE /v3/authentication/api-keys/{apiKeyId}
Permanently deletes the specified key. Returns 204 No Content on success.
Last modified on June 18, 2026