API keys

Create, use, and revoke API keys for scripts, CI, and agents.

Creating a key

Settings → API keys → Create key (a name is optional but kind to your future self). The key — it starts with crw_ — is shown once, at creation. We store only a hash, so copy it somewhere safe immediately; if you lose it, revoke it and create a new one.

Using a key

Send it as a bearer token against the API:

curl https://crawlie.app/v1/reports \
  -H "Authorization: Bearer crw_..." \
  -H "x-crawlie-team: <workspace-id>"

The same key also authenticates MCP clients that don’t do OAuth. Full surface in the REST API overview.

Scope

Keys are tied to your account — a request with your key can do what you can do, in any workspace you belong to (the x-crawlie-team header picks which one). There are no narrower per-key scopes yet, so treat a key like your sign-in.

Housekeeping

The keys list shows each key’s prefix, creation date, and last used time — an easy way to spot dead keys. Revoke kills a key immediately; requests with it start failing on the spot. Keys don’t expire on their own.

If a key may have leaked (committed to a repo, pasted in a log), revoke it first and ask questions later — creating a replacement takes seconds.

Still stuck? Email us — a human replies, usually within a day.