> ## Documentation Index
> Fetch the complete documentation index at: https://docs.xquik.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create API key

> Generate a new API key for programmatic access to the Xquik API

<blockquote className="agent-llms-directive">
  For the complete documentation index, see <a href="/llms.txt">llms.txt</a>.
</blockquote>

<Callout icon="circle-check" color="#16a34a">
  **Free** - does not consume credits
</Callout>

Store `fullKey` immediately and log only `id` and `prefix`.

<CodeGroup>
  ```bash cURL theme={null}
  response=$(curl -sS -X POST https://xquik.com/api/v1/api-keys \
    -H "Cookie: session_token=YOUR_SESSION_TOKEN" \
    -H "Content-Type: application/json" \
    -d '{"name": "Production"}')
  full_key=$(jq -r '.fullKey' <<<"$response")
  key_id=$(jq -r '.id' <<<"$response")
  key_prefix=$(jq -r '.prefix' <<<"$response")
  # Store $full_key in your secret manager; do not print it in logs.
  printf 'Created API key %s (%s)\n' "$key_id" "$key_prefix"
  ```

  ```javascript Node.js theme={null}
  const response = await fetch("https://xquik.com/api/v1/api-keys", {
    method: "POST",
    headers: {
      "Cookie": "session_token=YOUR_SESSION_TOKEN",
      "Content-Type": "application/json",
    },
    body: JSON.stringify({ name: "Production" }),
  });
  const key = await response.json();
  const apiKey = key.fullKey;
  // Store apiKey in your secret manager; do not print it in logs.
  process.stdout.write(`Created API key ${key.id} (${key.prefix})\n`);
  ```

  ```python Python theme={null}
  import requests

  response = requests.post(
      "https://xquik.com/api/v1/api-keys",
      cookies={"session_token": "YOUR_SESSION_TOKEN"},
      json={"name": "Production"},
  )
  key = response.json()
  api_key = key["fullKey"]
  # Store api_key in your secret manager; do not print it in logs.
  print(f"Created API key {key['id']} ({key['prefix']})")
  ```

  ```go Go theme={null}
  package main

  import (
    "bytes"
    "encoding/json"
    "fmt"
    "log"
    "net/http"
  )

  func main() {
    body, err := json.Marshal(map[string]string{"name": "Production"})
    if err != nil {
      log.Fatal(err)
    }

    req, err := http.NewRequest("POST", "https://xquik.com/api/v1/api-keys", bytes.NewReader(body))
    if err != nil {
      log.Fatal(err)
    }
    req.Header.Set("Content-Type", "application/json")
    req.AddCookie(&http.Cookie{Name: "session_token", Value: "YOUR_SESSION_TOKEN"})

    resp, err := http.DefaultClient.Do(req)
    if err != nil {
      log.Fatal(err)
    }
    defer resp.Body.Close()

    var key map[string]string
    if err := json.NewDecoder(resp.Body).Decode(&key); err != nil {
      log.Fatal(err)
    }

    apiKey := key["fullKey"]
    // Store apiKey in your secret manager; do not print it in logs.
    _ = apiKey
    fmt.Printf("Created API key %s (%s)\n", key["id"], key["prefix"])
  }
  ```
</CodeGroup>

## Headers

<ParamField header="Cookie" type="string">
  Dashboard session cookie. Format: `session_token=YOUR_SESSION_TOKEN`.
</ParamField>

<ParamField header="x-api-key" type="string">
  API key for the same account. Use this instead of `Cookie` for automated key rotation.
</ParamField>

<ParamField header="Authorization" type="string">
  OAuth bearer token for the same account. Format: `Bearer YOUR_TOKEN`.
</ParamField>

<ParamField header="Content-Type" type="string" required>
  Must be `application/json`.
</ParamField>

## Body

<ParamField body="name" type="string">
  Display name for the key. Defaults to `"Default"` if omitted.
</ParamField>

## Response

<Tabs>
  <Tab title="201 Created">
    <ResponseField name="id" type="string">
      Unique identifier for the API key.
    </ResponseField>

    <ResponseField name="fullKey" type="string">
      The complete API key including the `xq_` prefix.
    </ResponseField>

    <ResponseField name="prefix" type="string">
      First 8 characters of the key including the `xq_` prefix (e.g. `"xq_a1b2"`).
    </ResponseField>

    <ResponseField name="name" type="string">
      Display name of the key.
    </ResponseField>

    <ResponseField name="createdAt" type="string">
      ISO 8601 creation timestamp.
    </ResponseField>

    ```json theme={null}
    {
      "id": "42",
      "fullKey": "xq_YOUR_KEY_HERE",
      "prefix": "xq_a1b2",
      "name": "Production",
      "createdAt": "2026-02-24T10:30:00.000Z"
    }
    ```

    <Warning>
      The `fullKey` is returned **only once**. Store it securely. It cannot be retrieved again.
    </Warning>
  </Tab>

  <Tab title="401 Unauthenticated">
    ```json theme={null}
    { "error": "unauthenticated" }
    ```

    Missing or invalid session cookie, API key, or bearer token.
  </Tab>

  <Tab title="403 Key limit reached">
    ```json theme={null}
    { "error": "api_key_limit_reached", "limit": 100, "message": "API key limit reached. Delete an existing key first." }
    ```

    You have reached the maximum number of active API keys (100). Revoke an active key before creating a new one. Revoked keys do not count toward the active limit.
  </Tab>

  <Tab title="429 Rate Limited">
    ```json theme={null}
    { "error": "rate_limit_exceeded", "message": "Too many requests. Try again later.", "retryAfter": 60 }
    ```

    Too many requests. Wait for the `Retry-After` header before retrying.
  </Tab>
</Tabs>

<Note>
  Use a dashboard session cookie to create the first API key. Existing API keys and OAuth bearer tokens can create additional keys for the same account.

  **Related:** [List API Keys](/api-reference/api-keys/list) · [Revoke API Key](/api-reference/api-keys/revoke)
</Note>
