URL: /guides/api-keys

---
title: Create and rotate API keys
description: Mint, scope, and revoke keys for scripts and CI.
---

API keys are durable bearer tokens. They never expire — kill them when you're done.

## Mint

[Dashboard → API keys → New key](https://app.domaingenius.com.au/dashboard/api-keys).

Or via the API itself:

```bash
curl -X POST "https://api.domaingenius.com.au/api/v1/me/api-keys" \
  -H "Authorization: Bearer dg_live_existingkey..." \
  -H "Content-Type: application/json" \
  -d '{
    "name": "ci-deploy",
    "scopes": ["domains:read", "dns:write"]
  }'
```

```json
{
  "id": "key_01HF82YV...",
  "name": "ci-deploy",
  "scopes": ["domains:read", "dns:write"],
  "key": "dg_live_2k8n4j7s9..."
}
```

`key` is the full secret — only returned in this response, never again. Save it to a secrets manager.

## Scope tightly

A CI key that only updates DNS doesn't need `billing:write`. The dashboard pre-fills sensible scope sets per use case (CI, monitoring, registrar tooling) — start there.

## List

```bash
curl "https://api.domaingenius.com.au/api/v1/me/api-keys" \
  -H "Authorization: Bearer $DG_KEY"
```

Responses show the prefix (`dg_live_2k8n…`) and metadata, never the secret.

## Rotate

There's no rotate endpoint. Mint a new key, deploy, delete the old one:

```bash
curl -X DELETE "https://api.domaingenius.com.au/api/v1/me/api-keys/$KEY_ID" \
  -H "Authorization: Bearer $DG_KEY"
```

Deletion is immediate. Requests with the deleted key get HTTP 401 within seconds.

## Test mode

`dg_test_` keys hit the same routes but never call the registrar. Use them in CI fixtures so a passing test never accidentally registers `dxnghhg-test-1234.com`. Test keys can register, renew, transfer, and edit DNS — all returning synthetic confirmations.

Mint a test key from the dashboard with the **Test mode** toggle on.

## Leak protection

We scan public GitHub for `dg_live_` keys. If we find a match we revoke and email you. There's no way to opt out — leaked keys are leaked keys.