Layers
Account

API Keys

Create partner API keys for server-to-server access to the Layers Partner API.

View as Markdown

API keys in Layers are organization-scoped partner API keys — not per-user personal tokens. Create and manage them at Org → Settings → API Keys. Only organization owners and admins can create, rotate, or revoke keys.

Creating a key

  1. Click Create API key.
  2. Give it a name (3–50 characters, e.g. acme-prod-mcp).
  3. Add an optional note (up to 500 characters) to remind yourself what the key is for.
  4. Click Create.

The plaintext secret is shown once. Copy it now — it cannot be retrieved again.

Key format

Partner keys have the shape lp_<env>_<keyid>_<secret>:

  • env is live or test.
  • keyid is a 16-character uppercase alphanumeric identifier.
  • secret is a 43-character base64url string (32 bytes of entropy).

Send the full key as a Bearer token on the Authorization header to call the Partner API.

Revoking a key

Click Revoke next to a key. Revocation is immediate; any in-flight request still using the key will fail.

Rotation

Rotating a key issues a new secret and invalidates the old one. The key ID and prefix stay the same, so you don't have to re-register anywhere that refers to the key by ID — only update the secret in your secrets store.

Rate-limit tiers

Every key is assigned a rate-limit tier. Self-serve keys default to standard; design-partner and partner keys are upgraded by Layers operators. Per-endpoint-class limits for each tier are documented with the Partner API.

Scopes

Scopes (project allow-list, allowed OAuth return domains, tool / resource subsets) are currently managed by Layers operators via the system-admin key-issuance endpoint. Self-serve keys start with no scope restrictions and inherit the default quota.

Audit

Every use of a partner API key is recorded in the partner audit log for that organization. See Audit Log.

On this page

Creating a keyKey formatRevoking a keyRotationRate-limit tiersScopesAudit