Skip to main content
POST

Endpoint

Dashboard-only endpoint. Called from the WiseYield UI with browser cookies (Clerk session). Not callable from a server-to-server integration today. To mint API keys, sign in to the dashboard and use Settings → API Keys → Create API Key.
Summit-tier only. API key creation requires an active Summit subscription. Requests from users on Seed / Sprout / Harvest / Grove / Trial tiers return 403 TIER_INSUFFICIENT. See Subscription tiers for what’s included at each tier.

Authentication

Requires a signed-in WiseYield session. The Bearer examples below show the response wire format but are not directly callable outside the browser session.

Request Body

name
string
required
User-friendly name for the API key (e.g., “Production Server”, “Mobile App”)
scopes
array
required
Array of permission scopes. At least one scope required.Available Scopes:
  • farms:read, farms:write
  • crops:read, crops:write
  • fields:read, fields:write
  • library:read, library:write
  • market:read
  • analytics:read
  • tasks:read, tasks:write
  • team:read, team:write
  • webhooks:read, webhooks:write
  • all (full access)
environment
string
default:"live"
Environment type: live (production) or test (development)
rateLimit
number
default:"1000"
Maximum API requests per hour (1-100,000)
expiresAt
string
ISO 8601 datetime when key should expire (optional, no expiration if omitted)
metadata
object
Custom metadata to attach to the key (optional)

Response

Returns the newly created API key object with the full key.
id
string
Unique identifier (format: key_{nanoid})
key
string
⚠️ CRITICAL: Full API key (shown ONLY ONCE, never retrievable again)Format: wy_{environment}_{48_hex_characters}
keyPrefix
string
First 16 characters for identification
keyPreview
string
Masked version for display
name
string
Name provided in request
environment
string
Environment: live or test
scopes
array
Array of granted permission scopes
rateLimit
number
Requests per hour limit
isActive
boolean
Always true on creation
usageCount
number
Always 0 on creation
lastUsedAt
string
Always null on creation
createdAt
string
ISO 8601 timestamp of creation
updatedAt
string
ISO 8601 timestamp of last update
expiresAt
string
Expiration timestamp (null if no expiration)
metadata
object
Custom metadata (includes userAgent automatically)

Errors

400
error
Bad Request - Validation failed (missing fields, invalid scopes, limit exceeded)
401
error
Unauthorized - User not signed in
500
error
Internal Server Error - Failed to create API key

How It Works

Creation Flow:
  1. Authentication: Verifies user is signed in
  2. Validation: Checks all required fields and constraints:
    • Name and scopes are required
    • Scopes must be from valid list
    • Environment must be “live” or “test”
    • Rate limit: 1-100,000
    • Expiry date must be in future
  3. Limit Check: Ensures user has < 10 active keys
  4. Key Generation:
    • Generates 24 random bytes (48 hex chars)
    • Formats as wy_{environment}_{random}
    • Creates SHA-256 hash for storage
    • Extracts first 16 chars as prefix
  5. Database Insert: Saves key with metadata
  6. Audit Log: Records creation for security tracking
  7. Response: Returns full key (only time it’s shown)
Security:
  • Only SHA-256 hash stored in database
  • Full key never retrievable after creation
  • Prefix stored for identification
  • User-agent automatically captured in metadata

API Key Structure

Key Format

Example (Live):
Example (Test):
Components:
  • wy_ - WiseYield identifier
  • {environment} - live or test
  • {random} - 48 hexadecimal characters (cryptographically secure)

Storage

Database:
  • keyHash - SHA-256 hash of full key
  • keyPrefix - First 16 characters (for display/identification)
Never Stored:
  • Full API key value (security best practice)

Scopes Reference

Farm Management

Crop Management

Field Management

Analytics

Task Management

Team Management

Webhooks

Full Access

Use Cases

Production Key with Limited Scopes

Test Key with Full Access

Temporary Key with Expiration

Mobile App Key

Best Practices

Save Immediately: Copy the full key to secure storage as soon as it’s created. It cannot be retrieved later.
Principle of Least Privilege: Grant only the scopes needed for the specific use case.
Use Test Keys for Development: Create test environment keys for local development and testing.
Set Expiration: For temporary access, always set an expiresAt date.
Descriptive Names: Use clear, descriptive names that indicate purpose and environment.
Metadata for Tracking: Use metadata to track which application, server, or user is using each key.
One-Time Display: The full API key is shown ONLY once. Save it immediately or lose it forever.
10 Key Limit: Maximum 10 active API keys per user. Revoke unused keys before creating new ones.
Never Commit Keys: Never commit API keys to version control. Use environment variables.
Rotate Regularly: Create new keys and revoke old ones periodically for security.

Security Best Practices

Key Storage:
Key Rotation:
Scope Management:

Integration Examples

API Key Creation Modal