Overview
Overview
API keys provide long-lived, non-interactive authentication for headless environments. They start with the prefix kite_ and work anywhere a Firebase token is accepted — every API endpoint, including the agent orchestrator.
Never expire
Unlike Firebase tokens (1 hour), API keys live until revoked.
SHA-256 hashed
Plaintext is never stored — only a secure hash.
Prefix-indexed
Fast lookup using the first 13 characters.
Usage tracking
last_used_at updated on every authentication.
Creating a key
Creating a key
From the dashboard: Go to Settings > API Keys and click "Create API key".
From the API:
curl -X POST https://api.kiteml.com/api/api-keys \
-H "Authorization: Bearer <your_firebase_token>" \
-H "Content-Type: application/json" \
-d '{"name": "CI Pipeline"}'The raw key is returned only once in the response. Store it securely — you won't be able to see it again.
Using a key
Using a key
Pass the key as a Bearer token in the Authorization header:
Authorization: Bearer kite_aBcDeFgH...Or set it as an environment variable:
export KITE_API_KEY=kite_aBcDeFgH...
# Now both CLI and MCP server will use it automatically
kite project list
kite-mcp # MCP server reads KITE_API_KEYSecurity
Security
SHA-256 hashing
Keys are stored as hashes — the plaintext is never persisted.
Prefix index
First 13 characters used for efficient database lookup.
User-scoped
Each key is tied to a single user account.
Soft revocation
Revoked keys are soft-deleted and cannot be reactivated.
Managing keys
Managing keys
View and revoke keys from Settings > API Keys in the dashboard. Each key shows its name, creation date, prefix, and last used date.
API reference
API reference
| Method | Path | Description |
|---|---|---|
| POST | /api/api-keys | Create a new key. Body: { name: string } |
| GET | /api/api-keys | List active keys (no secrets returned) |
| DELETE | /api/api-keys/:id | Revoke a key |