Skip to content

API keys

Create, scope, rotate, and revoke API keys for programmatic access via Authorization: Bearer.

3 min read

API keys grant programmatic access to the public /v1/* API. Each key carries an explicit list of capabilities -- the routes it is allowed to call -- so you can keep the blast radius small if a key ever leaks. Create as many keys as you need, one per integration, and scope each one tightly.

Create a key

  1. Sign in to the dashboard.
  2. Open /settings?tab=apiKeys.
  3. Click the create button.
  4. Give the key a descriptive name -- "Production CI", "Staging monitor", "Local MCP client" -- so you recognise it later.
  5. Pick the capabilities the integration needs. The form starts with desktop:read and desktop:chat checked, which is enough to list desktops and send chat messages. Add more only if the integration needs them.
  6. Copy the key immediately. It is shown in plaintext exactly once. NEVER commit the key to a repository.

The value looks like sk_live_.... Le Bureau stores a bcrypt hash, not the plaintext, so the key cannot be recovered later. If you lose it, revoke and create a new one.

Use a key

Send the key in the Authorization header. The cheapest call to confirm everything is wired up correctly is /v1/me:

curl https://lebureau.talentai.fr/v1/me \
  -H "Authorization: Bearer sk_live_..."

The response includes your user id, email, role, tier, and the capabilities of the key making the request -- a good way to verify the key has the scopes you expect.

Capabilities

Every key carries an allowlist that decides which routes it can call. The default at creation is narrow on purpose: desktop:read and desktop:chat. Anything broader -- starting and stopping desktops, sending control input, scheduled jobs, knowledge base reads -- has to be opted in.

Capabilities are static. There is no edit-key flow. To change the scopes a key has, revoke it and create a new one with the right boxes ticked. See API capabilities for the full list and what each capability unlocks.

List, rotate, revoke

All key management happens at /settings?tab=apiKeys. The page lists every active key with its name, creation date, and capabilities. There is no public API in this release to list or revoke keys programmatically.

To rotate a key without downtime: create the replacement first, switch the integration over, confirm it works, then revoke the old key.

If a key leaks

Revoke it immediately on /settings?tab=apiKeys. Revocation takes effect right away -- any request using the revoked key returns 401. Then create a replacement with the same capabilities and roll your integration over to the new value. If you suspect the key was used to do something you did not intend, check the recent activity for affected resources.

Recommendations

PracticeWhy
One key per integrationRevoking one integration does not break the others
Descriptive namesTells you at a glance which key belongs to which system
Narrow capabilitiesSmallest blast radius if a key leaks -- only what the integration actually needs
Rotate periodicallyLimits the window of exposure if a key is silently compromised

Related docs

API authentication

How to authenticate against the public REST API: session cookies for the dashboard, Bearer API keys for programmatic access.

API capabilities

How API key capabilities work and the seven user scopes you can put on a key.

Install the MCP server

Install @lebureau/mcp, get an API key, and wire it into Claude Desktop or Claude Code.

PreviousAPI authentication
NextDesktop endpoints