raff api-key

_{Updated May 10, 2026} The raff api-key command group manages API keys for the account. Each key has a name, a rate-limit tier, an optional expiration, and an active flag. The plaintext secret is returned once at create or regenerate — it cannot be retrieved later. Every subcommand supports --output json for scripting. Aliases: raff api-keys, raff key, raff keys.

Subcommand index

Subcommand	What it does
`list`	List API keys
`get`	Show details for one key (no secret)
`create`	Create a new API key (returns the secret once)
`update`	Update a key’s metadata
`regenerate`	Rotate the secret (returns the new secret once)
`revoke`	Permanently revoke a key

list

raff api-key list [--output table|json]

List API keys for the account. Output columns: ID, NAME, PREFIX, ACTIVE, EXPIRES. Secrets are never returned by list.

get

raff api-key get <key-id>

Show key metadata — ID, name, prefix, active flag, expiration. The secret is never returned by get.

create

raff api-key create \
  --name <name> \
  [--rate-limit-tier standard|high] \
  [--expires-at <RFC3339>]

Create a new API key. Required: --name. The plaintext secret is printed once — copy it immediately. The default rate-limit tier is standard; high requires support approval.

raff api-key create --name "ci-deploy" \
  --rate-limit-tier standard \
  --expires-at 2026-12-31T23:59:59Z

update

raff api-key update <key-id> \
  [--name <new-name>] \
  [--rate-limit-tier standard|high] \
  [--active true|false] \
  [--expires-at <RFC3339>]

Update one or more metadata fields. At least one flag must be provided. Use --active false to suspend a key without revoking — re-enable later by setting --active true.

regenerate

raff api-key regenerate <key-id>

Rotate the secret. The new secret is printed once; the old secret stops working immediately.

revoke

raff api-key revoke <key-id> [--force]

Permanently revoke the key. Any client using it will fail immediately. Pass --force to skip the confirmation prompt.

raff_api_key (Terraform)

Declarative API key management.

Role commands

Roles control what a key can do.

Configure CLI auth

Where to put the secret after creating it.

​Subcommand index

​list

​get

​create

​update

​regenerate

​revoke

​Related