# API Keys

API keys provide machine-to-machine access to the Duku platform.

Each key is an OAuth2 client pair: `client_id` and `client_secret`. Exchange that pair for a short-lived Bearer token, then use the token against the GraphQL API.

### Limits and scope

* Keys are scoped to one organisation
* Each organisation can have up to **10 active keys**
* Keys expire after **90 days** by default
* Only **Admins** can create, rotate, or revoke keys

### Generate a key

1. Open **Settings → API Keys** in Viewport
2. Click **Generate API Key**
3. Enter a label like `GitHub Actions` or `CI Pipeline`
4. Click **Generate**
5. Copy the **Client ID** and **Client Secret**

{% hint style="warning" %}
The client secret is shown once. Store it in your secret manager immediately.
{% endhint %}

### Exchange the key for an access token

```bash
curl -X POST https://auth.duku.ai/realms/duku/protocol/openid-connect/token \
  -d "grant_type=client_credentials" \
  -d "client_id=<your_client_id>" \
  -d "client_secret=<your_client_secret>" \
  -d "scope=openid"
```

Example response:

```json
{
  "access_token": "eyJhbGciOi...",
  "expires_in": 300,
  "token_type": "Bearer"
}
```

`expires_in` is returned in seconds. In the example above, the token lifetime is 5 minutes.

### Use the access token

```bash
curl -X POST https://platform.duku.ai/graphql \
  -H "Authorization: Bearer <access_token>" \
  -H "Content-Type: application/json" \
  -d '{"query": "{ subjects { id name } }"}'
```

### Rotate a key

1. Open **Settings → API Keys**
2. Click **Rotate** on the key
3. Update the new secret in your CI system
4. The previous secret is invalid immediately

### Revoke a key

1. Open **Settings → API Keys**
2. Click **Revoke**
3. The key is deleted permanently

### Best practices

* Use one key per integration
* Rotate keys regularly
* Never commit secrets


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.duku.ai/integrations/api-keys.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.