API keys

Developer API keys enable programmatic access to PoQ by both developers and agents. Use them to access the PoQ Developer API (/developer/v1) and the PoQ MCP server (/mcp).

What they are

An API key is a bearer token with the prefix poq_live_. Each key is scoped to one user within one organization.

PropertyDetail
Formatpoq_live_ + 32 base62 characters (41 chars total)
HeaderAuthorization: Bearer poq_live_...
ScopeOne organization; projects and uploads created via the key live in that organization
AttributionWork performed with a key is attributed to the user who created it

Creating a key

Open API Keys in the app. Give the key a name and copy the token when it appears. It is shown exactly once and cannot be retrieved later. You can still list keys and see their prefix (poq_live_…).

Only originators of your current organization can create keys. If you are not an originator, ask an organization admin to grant access or create a key for you.

Managing keys

From the same API Keys page you can list active keys and revoke them by setting an expiry. Revoked keys stop working immediately.

Authorization layers

A valid key is necessary but not always sufficient.

Endpoint classRequirements
GET /developer/v1/pingValid, non-expired key
Project and upload endpointsValid key and the key's creator must still be an originator within the organization

The originator check runs on every project request, not just at creation time. If the creator loses originator status within the organization, existing keys remain valid for ping but can no longer create or manage projects.

Security

PracticeWhy
Store keys in a secrets managerPlaintext keys grant full organization-scoped API access
Never commit keys to source controlTreat a leaked key like a leaked password
Set an expiry for short-lived automationLimits blast radius if a key is exposed
Rotate after compromiseRevoke the old key in the app, create a new one

Presigned upload URLs returned by upload-session endpoints are a separate credential. PUT requests to those URLs need no Authorization header.

What keys are not

Not thisThis instead
Web app access tokenWallet login at https://sapien-poq.up.railway.app, for browser use
Presigned upload URLReturned per file during upload; scoped to one object and time-limited
Validator credentialsValidators use wallet auth on app routes, not API keys

See also

PageDescription
Quickstart - APIEnd-to-end workflow with a new key
Developer API - RESTHTTP endpoint reference
MCP serverTool-based access with the same keys
Edit this page on GitHub Last updated Jul 14, 2026