Skip to main content
All /v1 requests require an API key in the Authorization header.
Authorization: Bearer $PAM_API_KEY
API keys are scoped to a client organization. Requests can only access conversations, keys, and webhooks that belong to that organization.

Creating Keys

The first API key is provisioned outside the public API during onboarding. Once you have a valid key, you can create additional keys through the API:
curl https://api.pamhq.com/v1/api-keys \
  -X POST \
  -H "Authorization: Bearer $PAM_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Production integration",
    "expiresAt": "2027-01-01T00:00:00Z"
  }'
The raw key is returned only once. Store it immediately.
{
  "data": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "name": "Production integration",
    "key": "pk_live_aBcDeFgHiJkLmNoPqRsTuVwXyZ012345678901",
    "keyPrefix": "pk_live_aBcD",
    "expiresAt": "2027-01-01T00:00:00Z",
    "createdAt": "2026-04-10T14:00:00Z"
  },
  "meta": {
    "requestId": "req_abc123"
  }
}

Rotating Keys

Use short, descriptive names for keys so they are easy to rotate later. To rotate a production key:
  1. Create a replacement key.
  2. Deploy the replacement key to your integration.
  3. Confirm traffic succeeds with the new key.
  4. Revoke the old key with POST /api-keys/{id}/revoke.
Revoked or expired keys receive 401 Unauthorized.