> ## Documentation Index
> Fetch the complete documentation index at: https://docs.openwhispr.com/llms.txt
> Use this file to discover all available pages before exploring further.

# API keys

> Create and manage API keys for the OpenWhispr API and MCP server.

API keys authenticate requests to the [REST API](/api/overview) and the [MCP server](/integrations/mcp).

## Creating a key

1. Open the OpenWhispr desktop app
2. Go to **Integrations > API Keys**
3. Click **Create API Key**
4. Give it a name and select the scopes you need
5. Copy the key — it starts with `owk_live_` and is only shown once

<Warning>
  Store your key securely. If you lose it, revoke it and create a new one.
</Warning>

### Creating keys via the API

AI assistants can create their own keys programmatically using the [agent setup flow](/integrations/agent-setup). You can also manage keys via the API:

* `POST /v1/keys/create` — create a new key
* `GET /v1/keys/list` — list active keys
* `POST /v1/keys/{id}/revoke` — revoke a key

These endpoints accept both desktop session auth and agent session tokens (`owt_` prefix).

## Scopes

Each key has specific permissions. Choose only what you need.

| Scope                 | Access                                            |
| --------------------- | ------------------------------------------------- |
| `notes:read`          | List, get, and search notes. List folders.        |
| `notes:write`         | Create, update, and delete notes. Create folders. |
| `transcriptions:read` | List and get transcription history.               |
| `usage:read`          | Read usage statistics and plan details.           |

## Limits

* Max **5 API keys** per user
* Keys can optionally have an **expiration date**
* Keys can be **revoked** at any time from the desktop app

## Key format

```
owk_live_<base64url-encoded-random-bytes>
```

Keys are 32 bytes of cryptographic randomness, prefixed with `owk_live_` for identification. Only the SHA-256 hash is stored server-side — the raw key cannot be recovered after creation.

## Best practices

* Use separate keys for different integrations so you can revoke one without affecting others
* Set expiration dates for keys used in temporary automations
* Use the minimum scopes needed — a read-only dashboard doesn't need `notes:write`
