API Keys

1. Open API Keys from the sidebar.
2. Click Create Key.
3. Fill in:
   • Name — descriptive label (github-actions-deploy, laptop-mac).
   • Expiry — number of days. Required; the longest allowed value depends on your plan.
   • Project access — "all projects" or a list of specific projects.
   • IP allowlist — optional CIDR ranges (e.g. your CI provider's IP range).
4. Click Create. The key value is displayed once — copy it to your password manager or CI secret store immediately.

A key's effective permissions are the intersection of:

• The role of the user who created it (Owner / Admin / Member).
• The project allowlist on the key.
• The IP allowlist on the key.
• The expiry date.

Use the tightest scope that still works:

The list view shows: name, masked prefix, scope summary, last-used timestamp, expiry, and status (active / expired / revoked). Filter by status, search by name, or sort by last-used to find unused keys ready for cleanup.

Click the row's Revoke button. Revocation is immediate; the next request from that key returns 401.

Reasons to revoke:

• Key suspected leaked (committed by mistake, exposed in logs).
• Owner left the organization.
• Project the key was scoped to was retired.
• Routine rotation.

From the CLI:

envv login --token evk_xxxxxxxxxxxxxxxxx
# or
export ENVVAULT_TOKEN=evk_xxxxxxxxxxxxxxxxx
envv run -- npm start

From an HTTP client:

curl https://api.envvault.com/api/v1/cli/secrets -H "Authorization: Bearer $ENVVAULT_TOKEN"

Every API_KEY_CREATE and API_KEY_REVOKE event lands in Audit Logs. Every request authenticated by the key shows up in the log under that key's actor identity.