> ## Documentation Index
> Fetch the complete documentation index at: https://devkit4ai.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Creating Project API Keys

> Generate project-scoped keys for Starter Kit deployments and end-user apps.

Project API keys (also called "API Keys" in the interface) are provisioned per project via `POST /api/v1/projects/{project_id}/api-keys`, exactly as documented in the Cloud API reference.

## Key Format

API Keys use the following format:

**Prefix:** `ak_` (API Key)

**Full format:** `ak_` + 32 alphanumeric characters (a-zA-Z0-9)

**Example:** `ak_abc123XYZ789def456ghi012jkl345mn`

**Total length:** 35 characters (3 character prefix + 32 character key)

## Key Properties

* **Hashing:** Keys are hashed with SHA-256 before storage for security
* **Prefix storage:** Only the first 8 characters (e.g., `ak_abc12`) are stored in `key_prefix` for identification
* **One-time display:** The full key is shown once during generation; only the hash is persisted
* **Project scoping:** Each key is bound to a specific project via `project_id`
* **Multi-tenant:** Backend projectors enforce scoping to prevent cross-project access

## Environment Variable

In your Starter Kit deployment, set the generated key as:

```bash theme={null}
DEVKIT4AI_PROJECT_KEY=ak_abc123XYZ789def456ghi012jkl345mn
```

<Note>
  The environment variable is named `DEVKIT4AI_PROJECT_KEY` for clarity about scope, but the keys themselves use the `ak_` prefix (not `pk_`).
</Note>

## Generation Flow

1. Cloud Admin UI calls the API endpoint with optional `name` parameter
2. Backend generates key with `ak_` prefix and 32 random alphanumeric characters
3. Full key is hashed with SHA-256
4. Hash and prefix (first 8 chars) are stored in the database
5. Full key is returned in response and displayed once
6. Key becomes valid immediately for API requests

## Security

<Warning>
  * Store the full key securely - it cannot be retrieved again
  * Never commit keys to version control
  * Rotate keys regularly (every 90 days recommended)
  * Revoke compromised keys immediately
</Warning>
