API keys
Creating, managing, and revoking API keys for programmatic access.
What API keys are for
API keys let you access Le Bureau's API from scripts, automation tools, CI/CD pipelines, and custom integrations -- anywhere you cannot use a browser session.
Each key is tied to your account and grants the same permissions as your logged-in session.
Creating an API key
- Go to Settings > API Keys in the dashboard
- Click Create API Key
- Give your key a descriptive name (e.g., "CI Pipeline", "Monitoring Script")
- Copy the key immediately -- it is shown only once
The key will look like: lb_k_a1b2c3d4e5f6...
The lb_k_ prefix identifies it as a Le Bureau API key. The rest is a cryptographically random string.
Important: the plaintext key is displayed only at creation time. Le Bureau stores a bcrypt hash, not the key itself. If you lose the key, you must revoke it and create a new one.
Using your API key
Pass the key in the x-api-key header on every request:
# List your desktops
curl https://lebureau.talentai.fr/api/desktops \
-H "x-api-key: lb_k_a1b2c3d4e5f6..."
# Create a task
curl -X POST https://lebureau.talentai.fr/api/mission-control/tasks \
-H "x-api-key: lb_k_a1b2c3d4e5f6..." \
-H "Content-Type: application/json" \
-d '{"type": "prompt", "content": "Run tests", "desktopId": "..."}'
Listing your keys
View all active keys from the dashboard or via the API:
curl https://lebureau.talentai.fr/api/auth/api-keys \
-H "x-api-key: lb_k_a1b2c3d4e5f6..."
The response includes each key's name, creation date, and a masked preview (last 4 characters). The full key is never returned after creation.
Revoking a key
To revoke a key from the dashboard, click the Revoke button next to it in the API Keys settings page.
Via the API:
curl -X DELETE https://lebureau.talentai.fr/api/auth/api-keys/key-id-here \
-H "x-api-key: lb_k_a1b2c3d4e5f6..."
Revocation is immediate. Any request using the revoked key will receive a 401 Unauthorized response.
Recommendations
| Practice | Why |
|---|---|
| One key per integration | Revoke access for one integration without affecting others |
| Descriptive names | Know which key belongs to what system at a glance |
| Rotate regularly | Limit exposure window if a key is compromised |
| Never commit keys | Use environment variables or secret managers instead |
| Revoke unused keys | Fewer active keys means smaller attack surface |
Rate limiting on failed attempts
Le Bureau tracks failed authentication attempts per IP address. After 10 failed API key attempts within 60 seconds, the IP is temporarily blocked from API key authentication.
This protects against brute-force attacks but means you should verify your key is correct before running automated loops. A typo in your key could lock out your IP temporarily.
See API authentication for the full rate limiting details.