API keys
An API key is a personal token that proves a request is yours. You create keys in your web account and use them to authenticate tools — your own scripts, the desktop app, or third-party integrations — and to unlock your end-to-end-encrypted synced data right in the browser.
You manage keys under Account → API keys (/account/api-keys). Keys are created, shown to
you once, and can be revoked at any time.
What a key is for
A single key does two jobs:
| Use it to… | What that means |
|---|---|
| Authenticate a tool | Let a script, the desktop app, or a third-party integration act on your behalf. |
| Unlock synced data in the browser | Paste a key into the Sync & devices page to decrypt your workspaces, entries, and dictionary terms locally — the key never leaves your browser. |
That second job matters because your synced content is end-to-end encrypted: InkSpoke's servers store only ciphertext. Your API key is what the browser uses to derive your sync key and decrypt everything on your side. See Synced data and privacy for the full picture.
Create a key
- Go to Account → API keys and select + Create API key.
- Name the key something you'll recognize later — for example the machine or script that will use it ("My laptop", "backup script"). The name is just a label for you.
- InkSpoke generates the key and shows the full value once, in a banner with a Copy button. Copy it now — this is the only time you'll ever see the whole key.
- Store the copied value somewhere safe (a password manager is ideal), then Dismiss the banner. The key then appears in your keys table.
Keys look like sk-is-…. After you dismiss the banner, only a short prefix of the key is
ever displayed again.
┌─────────────────────────────────────────────────────────────────┐
│ API keys [ + Create API key ] │
├─────────────────────────────────────────────────────────────────┤
│ ✓ Key created — copy it now; it won't be shown again │
│ ┌──────────────────────────────────────────┐ [ Copy ] │
│ │ sk-is-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX │ [ Dismiss ] │
│ └──────────────────────────────────────────┘ │
├──────────────┬────────────┬───────────┬────────────┬────────────┤
│ Name │ Prefix │ Created │ Last used │ │
├──────────────┼────────────┼───────────┼────────────┼────────────┤
│ My laptop │ sk-is-a1… │ Jul 4 │ Never │ [ Revoke ] │
└──────────────┴────────────┴───────────┴────────────┴────────────┘
The full key is revealed a single time, right after you create it. If you dismiss the banner without copying it, you cannot recover the value — you'll need to create a new key and revoke the old one. The Copy button flashes ✓ Copied for a couple of seconds so you know it worked.
If you've never made a key, the page shows an empty state that prompts you to issue your first one. Just select + Create API key to begin.
The keys table
Every key you've created is listed with a few read-only details so you can tell them apart and spot ones you no longer need:
| Column | What it shows |
|---|---|
| Name | The label you gave the key when you created it. |
| Prefix | The first few characters of the key (sk-is-…) — enough to identify it, never the full value. |
| Created | When the key was issued. |
| Last used | When the key last authenticated a request, or Never if it hasn't been used yet. |
| Revoke | Immediately and permanently disables the key. |
Last used is a quick way to find stale keys: anything still showing Never long after you made it is a safe candidate to revoke.
Use a key to unlock synced data
Your synced data is encrypted, so the web viewer starts locked. To read it:
- Open Account → Sync & devices (
/account/sync-data). - In the Unlock banner, paste an API key (
sk-is-…). - The browser derives your sync key locally and decrypts your workspaces, entries, and dictionary terms in place.
The key you paste stays in your browser session only — it isn't sent to the server, and the unlock doesn't persist after you close the tab. Full details are in Synced data and privacy.
Revoke a key
To disable a key, select Revoke on its row. Revocation takes effect immediately: any tool still using that key stops working, and the key can't be reactivated. Revoke a key whenever you:
- suspect it was exposed or copied somewhere it shouldn't be,
- retire the machine, script, or integration that used it, or
- rotate keys as routine housekeeping.
If you use a specific key to unlock your synced data in the browser, revoking it means you'll need a different valid key to unlock next time. Create the replacement first, then revoke the old one.
Security tips
- Treat a key like a password. Anyone who has it can act as you and decrypt your synced data.
- Never paste keys into shared docs, chat, screenshots, or commits. Store them in a password manager or a secrets vault.
- One key per tool. Separate keys per machine or script make the Last used column meaningful and let you revoke just the one that leaked.
- Rotate on suspicion. If you're unsure whether a key is still private, revoke it and create a new one — there's no downside.
Next steps
- Synced data and privacy — unlock and read your end-to-end-encrypted data with a key.
- Web account overview — everything you can manage from the browser.
- Signing in — how the web, desktop, and mobile apps share your account.
- Choosing your models — pick the voice and text models your account uses.