Skip to main content

API key generation

API key operations use session-based authentication (browser cookies). They create a Puffle API key from a signed-in Puffle account and are designed to be called from the Puffle dashboard, not from your backend integration. To create a key, log in to the Puffle dashboard, open Settings → API, and click Generate API key.
If you need to programmatically rotate API keys from your own backend, contact support — we can assist with a service-account flow.

Generate API key

Creates a new API key for your account. Only one active key is permitted at a time. Do not call this endpoint with an API key; use the signed-in dashboard flow above. 
POST /api/user/api-key
Authentication: Session (browser cookie)

Response — 201 Created

{
  "api_key": "pk_live_abc123def456ghi789jkl012...",
  "prefix": "pk_live_abc123def456ghi7",
  "message": "Save this key — it will not be shown again."
}
The full API key is returned only once at creation time. Copy it immediately — subsequent GET requests return only the masked form.

Get API key info

Returns metadata about the current active API key. 
GET /api/user/api-key
Authentication: Session (browser cookie)

Response

{
  "has_key": true,
  "prefix": "pk_live_abc123def456ghi7",
  "has_webhook": false,
  "created_at": "2026-04-20T10:00:00Z"
}

Revoke API key

Immediately invalidates the current API key. 
DELETE /api/user/api-key
Authentication: Session (browser cookie) Response: 200 OK 
{
  "success": true
}
Revocation is immediate. Any services using the revoked key will receive 401 on their next request. Generate and deploy a new key before revoking the old one to avoid downtime.