---
title: GET /api/keys
description: List the authenticated user's CLI API keys — metadata only, never the raw secret. A web-session-scoped Settings route.
---

<Note>

Key management is a **web Settings** surface (Settings → API keys). This route backs that page; there's no dedicated CLI command for it.

</Note>

Lists the authenticated user's CLI API keys — metadata only, never the raw secret. Better Auth's apiKey plugin owns the underlying table; the route resolves the session from the request and re-checks ownership on `referenceId`.

## Endpoint

```text
GET https://scripto.codika.io/api/keys
```

## Auth

Session (web). Defends in depth on the resolved user.

## Response (200)

```json
{
  "success": true,
  "data": {
    "keys": [
      {
        "id": "key_…",
        "name": "scripto-cli",
        "prefix": "scripto_",
        "start": "scripto_ab",
        "createdAt": "2026-06-20T10:00:00.000Z",
        "expiresAt": null
      }
    ]
  }
}
```

The raw key value is **never** in this response — it's only returned once, at creation.

## Errors

| HTTP | `code` | Cause |
|---|---|---|
| 401 | `unauthenticated` | Not signed in. |
| 500 | `internal` | Backend error. |

## Next

- **[POST /api/keys](/api-reference/create-key)** — mint a key.
- **[DELETE /api/keys/[id]](/api-reference/revoke-key)** — revoke a key.
- **[API keys](/concepts/api-keys)** — the policy.