Skip to main content

API keys

An API key is a personal token that proves a request is yours. You create keys in your web account and use them to authenticate tools — your own scripts, the desktop app, or third-party integrations — and to unlock your end-to-end-encrypted synced data right in the browser.

You manage keys under Account → API keys (/account/api-keys). Keys are created, shown to you once, and can be revoked at any time.

What a key is for

A single key does two jobs:

Use it to…What that means
Authenticate a toolLet a script, the desktop app, or a third-party integration act on your behalf.
Unlock synced data in the browserPaste a key into the Sync & devices page to decrypt your workspaces, entries, and dictionary terms locally — the key never leaves your browser.

That second job matters because your synced content is end-to-end encrypted: InkSpoke's servers store only ciphertext. Your API key is what the browser uses to derive your sync key and decrypt everything on your side. See Synced data and privacy for the full picture.

Create a key

  1. Go to Account → API keys and select + Create API key.
  2. Name the key something you'll recognize later — for example the machine or script that will use it ("My laptop", "backup script"). The name is just a label for you.
  3. InkSpoke generates the key and shows the full value once, in a banner with a Copy button. Copy it now — this is the only time you'll ever see the whole key.
  4. Store the copied value somewhere safe (a password manager is ideal), then Dismiss the banner. The key then appears in your keys table.

Keys look like sk-is-…. After you dismiss the banner, only a short prefix of the key is ever displayed again.

┌─────────────────────────────────────────────────────────────────┐
│ API keys [ + Create API key ] │
├─────────────────────────────────────────────────────────────────┤
│ ✓ Key created — copy it now; it won't be shown again │
│ ┌──────────────────────────────────────────┐ [ Copy ] │
│ │ sk-is-XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX │ [ Dismiss ] │
│ └──────────────────────────────────────────┘ │
├──────────────┬────────────┬───────────┬────────────┬────────────┤
│ Name │ Prefix │ Created │ Last used │ │
├──────────────┼────────────┼───────────┼────────────┼────────────┤
│ My laptop │ sk-is-a1… │ Jul 4 │ Never │ [ Revoke ] │
└──────────────┴────────────┴───────────┴────────────┴────────────┘
Copy it now — it's shown only once

The full key is revealed a single time, right after you create it. If you dismiss the banner without copying it, you cannot recover the value — you'll need to create a new key and revoke the old one. The Copy button flashes ✓ Copied for a couple of seconds so you know it worked.

First key

If you've never made a key, the page shows an empty state that prompts you to issue your first one. Just select + Create API key to begin.

The keys table

Every key you've created is listed with a few read-only details so you can tell them apart and spot ones you no longer need:

ColumnWhat it shows
NameThe label you gave the key when you created it.
PrefixThe first few characters of the key (sk-is-…) — enough to identify it, never the full value.
CreatedWhen the key was issued.
Last usedWhen the key last authenticated a request, or Never if it hasn't been used yet.
RevokeImmediately and permanently disables the key.

Last used is a quick way to find stale keys: anything still showing Never long after you made it is a safe candidate to revoke.

Use a key to unlock synced data

Your synced data is encrypted, so the web viewer starts locked. To read it:

  1. Open Account → Sync & devices (/account/sync-data).
  2. In the Unlock banner, paste an API key (sk-is-…).
  3. The browser derives your sync key locally and decrypts your workspaces, entries, and dictionary terms in place.

The key you paste stays in your browser session only — it isn't sent to the server, and the unlock doesn't persist after you close the tab. Full details are in Synced data and privacy.

Revoke a key

To disable a key, select Revoke on its row. Revocation takes effect immediately: any tool still using that key stops working, and the key can't be reactivated. Revoke a key whenever you:

  • suspect it was exposed or copied somewhere it shouldn't be,
  • retire the machine, script, or integration that used it, or
  • rotate keys as routine housekeeping.
Revoking a key you use for sync unlock

If you use a specific key to unlock your synced data in the browser, revoking it means you'll need a different valid key to unlock next time. Create the replacement first, then revoke the old one.

Security tips

  • Treat a key like a password. Anyone who has it can act as you and decrypt your synced data.
  • Never paste keys into shared docs, chat, screenshots, or commits. Store them in a password manager or a secrets vault.
  • One key per tool. Separate keys per machine or script make the Last used column meaningful and let you revoke just the one that leaked.
  • Rotate on suspicion. If you're unsure whether a key is still private, revoke it and create a new one — there's no downside.

Next steps