Skip to main content
API tokens — also called workspace API keys — are the primary credential for machine-to-machine access. Each token is bound to a single workspace and carries an explicit scope set chosen at creation. Live keys (gak_live_*) target production; test keys (gak_test_*) target a sandbox with isolated data and no real Stripe charges. The secret value is returned exactly once at creation — there is no way to retrieve it later. By the end of this page you will know which endpoints exist and the lifecycle rules that govern them.

What a token looks like

Metadata is freely readable; the secret never appears on a read.

Endpoints

List all tokens in the workspace. Create a new API token. Secret returned once. Fetch token metadata. Never the secret. Issue a new secret and invalidate the old one. Permanently revoke the token.

Rules to know before you call

Common errors

Authentication

How keys and OAuth session tokens work, including the scope model and rotation discipline.