API keys authenticate requests to the REST API and the MCP server.
Creating a key
- Open the OpenWhispr desktop app
- Go to Integrations > API Keys
- Click Create API Key
- Give it a name and select the scopes you need
- Copy the key — it starts with
owk_live_ and is only shown once
Store your key securely. If you lose it, revoke it and create a new one.
Creating keys via the API
AI assistants can create their own keys programmatically using the agent setup flow. You can also manage keys via the API:
POST /v1/keys/create — create a new key
GET /v1/keys/list — list active keys
POST /v1/keys/{id}/revoke — revoke a key
These endpoints accept both desktop session auth and agent session tokens (owt_ prefix).
Scopes
Each key has specific permissions. Choose only what you need.
Limits
- Max 5 API keys per user
- Keys can optionally have an expiration date
- Keys can be revoked at any time from the desktop app
Keys are 32 bytes of cryptographic randomness, prefixed with owk_live_ for identification. Only the SHA-256 hash is stored server-side — the raw key cannot be recovered after creation.
Best practices
- Use separate keys for different integrations so you can revoke one without affecting others
- Set expiration dates for keys used in temporary automations
- Use the minimum scopes needed — a read-only dashboard doesn’t need
notes:write