Skip to main content
The user management API is for automation scripts or private console integrations. For routine API key management, prefer API key management in the console.
The management API is authenticated separately from model-call APIs. Console calls use the active browser session; scripts need a management credential and the matching New-Api-User header. A model-call sk- API key cannot authenticate management API requests.

List API keys

GET /api/token/
Returns the API keys you can manage. The key field in list responses may be masked.

Create an API key

POST /api/token/

{
  "name": "codex",
  "remain_quota": 0,
  "expired_time": -1,
  "unlimited_quota": true,
  "model_limits_enabled": false,
  "model_limits": "",
  "group": "auto",
  "cross_group_retry": true,
  "allow_ips": ""
}
name
string
required
API key name. Use a client or task label such as claude-code, codex, or cherry-studio.
remain_quota
integer
Quota available to this API key. When unlimited_quota is true, this field does not cap the key.
expired_time
integer
Unix timestamp. Use -1 for no expiration.
unlimited_quota
boolean
Whether the API key has no key-level quota cap. The account balance is still charged normally.
model_limits_enabled
boolean
Whether to enable a model allowlist.
model_limits
string
Model allowlist value when model limits are enabled.
group
string
Groups assigned to the API key. Use commas for multiple groups, for example codex,codex-passthrough.
cross_group_retry
boolean
Whether to allow retrying across groups. This is usually used with auto or multi-group API keys.
allow_ips
string
Source IP allowlist for this API key. Leave empty for no IP restriction.

Get an API key

GET /api/token/{id}
id
integer
required
API key ID.

Copy the full API key value

POST /api/token/{id}/key
Returns the full value for one of your own API keys. Call this only from a trusted environment, and do not expose the result to page scripts, logs, or untrusted systems.

Update an API key

PUT /api/token/
Use the same fields as API key creation and include the target API key ID. For enable/disable-only changes, use status_only.

Delete an API key

DELETE /api/token/{id}
After deletion, the API key can no longer call model APIs. In-flight requests may not be interrupted immediately.

Search API keys

GET /api/token/search?keyword=claude
keyword
string
Search by API key name.

Boundaries

  • Manage only your own API keys.
  • Do not infer admin endpoints from this user-facing management API.
  • Automation scripts should handle expired sessions, 403 permission errors, and 429 rate limits.