curl --request POST \
  --url https://api-next.dealroom.co/api/api-keys \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "type": "m2m",
  "name": "Production data pipeline",
  "permissions": [
    "read:entities",
    "read:investors",
    "read:transactions"
  ]
}
'

{
  "data": {
    "id": 123,
    "name": "<string>",
    "client_id": "<string>",
    "permissions": [
      "<string>"
    ],
    "allowed_origins": [
      "<string>"
    ],
    "allowed_callback_urls": [
      "<string>"
    ],
    "last_used_at": "<string>",
    "created_at": "<string>",
    "created_by": "<string>",
    "client_secret": "<string>"
  }
}

API Keys

Create a new API key

Provisions an Auth0 application and returns the client credentials.

Key types:

m2m (default) — Machine-to-Machine, uses client_credentials grant. Suitable for server-side integrations. Returns client_id + client_secret. The secret is shown only once — store it securely.
application — Browser SPA, uses Authorization Code + PKCE. Users authenticate via Auth0 Universal Login; effective scopes = user.permissions ∩ key.permissions. Read-only — all permissions must start with read:. Returns client_id only (no secret). Requires allowed_origins and allowed_callback_urls.

Calling the API with the created M2M key: subsequent API requests must include an Authorization bearer token (obtained by exchanging the key’s client_id + client_secret at the Auth0 token endpoint) and X-Client-Id set to the issued client_id. Application (SPA) keys use Authorization Code + PKCE instead — see the Authentication guide.

POST

api

api-keys

curl --request POST \
  --url https://api-next.dealroom.co/api/api-keys \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "type": "m2m",
  "name": "Production data pipeline",
  "permissions": [
    "read:entities",
    "read:investors",
    "read:transactions"
  ]
}
'

{
  "data": {
    "id": 123,
    "name": "<string>",
    "client_id": "<string>",
    "permissions": [
      "<string>"
    ],
    "allowed_origins": [
      "<string>"
    ],
    "allowed_callback_urls": [
      "<string>"
    ],
    "last_used_at": "<string>",
    "created_at": "<string>",
    "created_by": "<string>",
    "client_secret": "<string>"
  }
}

Authorizations

Authorization

string

header

required

Auth0 JWT access token. Paste a token obtained from your preferred OAuth2 flow. For machine-to-machine use, the OAuth2 client_credentials scheme below can mint a token directly from your client_id / client_secret inside the Swagger UI Authorize dialog.

Body

application/json

Option 1
Option 2

type

enum<string>

required

Programmatic key using client_credentials grant — server-side only.

Available options:

m2m

Example:

"m2m"

name

string

required

A human-readable name for the API key

Required string length: 1 - 100

Example:

"Production integration"

permissions

string[]

required

Permissions to grant (must be a subset of your own)

Minimum array length: 1

Example:

["read:entities", "read:investors"]

Response

API key created

data

object

required

Show child attributes

List API keys Get API key details

Documentation Index

Authorizations

Body

Response