API Keys / Tokens

POST/v1/orgs/{org_id}/tokens/runtime

Create Runtime Token

Create a project-scoped runtime token (evaluate + bundle fetch).

Admin tokenscope: org:adminoperation_id: tokens.createRuntime

Authentication

Create via POST /v1/orgs/{org_id}/tokens/admin. Org-wide scope — keep tightly held.

SDK install

pip install znyx-sdknpm install @znyx/sdk

Path parameters

Name	Type	Required	Description
org_id#path	string	required	—

Header parameters

Name	Type	Required	Description
X-API-Key#header	string \| null	optional	—
authorization#header	string \| null	optional	—

Request bodyrequired

Field	Type	Required	Description
project_id	string	required	—
environment_id	string \| null	optional	—
expires_in_days	integer	optional	—

Responses

Status	Description
201	Successful Response
422	Validation Error

Response schema

idrequiredinteger

key_prefixrequiredstring

key_typerequiredstring

org_idstring | null

project_idstring | null

environment_idstring | null

scopesstring[]

is_activerequiredboolean

expires_atstring | null

created_atrequiredstring

raw_keyrequiredstring

Errors & what triggers them

Code	Trigger	Fix
403	Caller is not an org admin.	—
404	project_id or environment_id does not belong to this org.	—
409	A runtime token for this (project, environment) already exists.	Use POST /v1/orgs/{org_id}/tokens/{key_id}/rotate to get a fresh raw value.

Notes & examples

When to use this

Create one runtime token per (project, environment) pair. Distribute it to the workloads that need to evaluate requests in that env — typically as an environment variable.

Scopes

Runtime tokens can:

POST /v1/evaluate/*
GET /v1/bundles/latest

They cannot publish bundles, invite team members, or read other envs. Rotate regularly and scope tightly.

The 409 conflict — "runtime_key_exists"

Attempts to create a second runtime token for the same (project, environment) return:

{
  "detail": {
    "error": "runtime_key_exists",
    "message": "A runtime key for this project/environment already exists..."
  }
}

There's exactly one active runtime token per scope. To get a fresh raw value, call rotate instead:

POST /v1/orgs/{org_id}/tokens/{key_id}/rotate

Storing the token

The raw token is returned once in the raw_key field on creation. Store it in your secret manager immediately — there is no retrieval endpoint. The API only keeps a hash.

POST /v1/orgs/{org_id}/tokens/admin — org-wide scope. For CI provisioning and scripts.
POST /v1/orgs/{org_id}/tokens/ci — CI-scoped, allows publish / activate / promote.
DELETE /v1/orgs/{org_id}/tokens/{id} — revoke.

Request

curl -X POST 'https://api.znyx.ai/v1/orgs/00000000-0000-0000-0000-000000000000/tokens/runtime' \
  -H 'Authorization: Bearer $ZNYX_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
  "project_id": "string",
  "environment_id": null,
  "expires_in_days": 365
}'

Response

application/json

Successful Response

{
  "id": 0,
  "key_prefix": "string",
  "key_type": "string",
  "org_id": null,
  "project_id": null,
  "environment_id": null,
  "scopes": [
    "string"
  ],
  "is_active": false,
  "expires_at": null,
  "created_at": "string",
  "raw_key": "string"
}

Schema: object