# List API keys

> GET /api-keys — list your API keys (metadata only).

`GET /api-keys`

Lists your API keys. Each entry includes a non-secret token **prefix** (`token`) for display — the full secret is stored only as a hash and is shown once, at creation, never again. The `limit` parameter is optional; if omitted, all keys are returned in a single response.

**Query parameters**

| Name | Type | Required | Description |
| --- | --- | --- | --- |
| `limit` | number | No | Number of API keys to retrieve. Minimum `1`, maximum `100`. |
| `after` | string | No | The ID after which to retrieve more keys (pagination). The ID itself is excluded. Cannot be combined with `before`. |
| `before` | string | No | The ID before which to retrieve more keys (pagination). The ID itself is excluded. Cannot be combined with `after`. |

**Node.js**

```js
import { MailBlastr } from 'mailblastr';

const mb = new MailBlastr('mb_xxxxxxxxx');

const { data, error } = await mb.apiKeys.list();
console.log({ data, error });
```

**Ruby**

```ruby
require "mailblastr"

Mailblastr.api_key = "mb_xxxxxxxxx"

Mailblastr::ApiKeys.list
```

**PHP**

```php
$mailblastr = Mailblastr::client('mb_xxxxxxxxx');

$mailblastr->apiKeys->list();
```

**Python**

```python
import mailblastr

mailblastr.api_key = "mb_xxxxxxxxx"

mailblastr.ApiKeys.list()
```

**Go**

```go
package main

import (
    "fmt"
    "io"
    "net/http"
)

func main() {
    req, _ := http.NewRequest("GET", "https://api.mailblastr.com/api-keys", nil)
    req.Header.Set("Authorization", "Bearer mb_xxxxxxxxx")
    res, _ := http.DefaultClient.Do(req)
    defer res.Body.Close()
    out, _ := io.ReadAll(res.Body)
    fmt.Println(string(out))
}
```

**Rust**

```rust
use reqwest::Client;

#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
    let res = Client::new()
        .get("https://api.mailblastr.com/api-keys")
        .header("Authorization", "Bearer mb_xxxxxxxxx")
        .send()
        .await?;
    println!("{}", res.text().await?);
    Ok(())
}
```

**Java**

```java
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;

var client = HttpClient.newHttpClient();
var request = HttpRequest.newBuilder()
    .uri(URI.create("https://api.mailblastr.com/api-keys"))
    .header("Authorization", "Bearer mb_xxxxxxxxx")
    .method("GET", HttpRequest.BodyPublishers.noBody())
    .build();
var response = client.send(request, HttpResponse.BodyHandlers.ofString());
System.out.println(response.body());
```

**.NET**

```csharp
using System.Net.Http;
using System.Text;

var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Get, "https://api.mailblastr.com/api-keys");
request.Headers.Add("Authorization", "Bearer mb_xxxxxxxxx");
var response = await client.SendAsync(request);
Console.WriteLine(await response.Content.ReadAsStringAsync());
```

**cURL**

```bash
curl -X GET 'https://api.mailblastr.com/api-keys' \
  -H 'Authorization: Bearer mb_xxxxxxxxx'
```

**CLI**

```bash
mailblastr api-keys list
```

### Response

Each entry carries the key `name`, a non-secret `token` prefix, its `permission` (`full_access` or `sending_access`), the `domain_id` it is scoped to (`null` for account-wide keys), `created_at`, and a `last_used_at` timestamp (`null` if the key has never been used). `has_more` indicates whether further pages exist.

```json
{
  "object": "list",
  "has_more": false,
  "data": [
    {
      "id": "dacf4072-4119-4d88-932f-6202748ac7c8",
      "name": "Production server",
      "token": "mb_live_a1b2c3",
      "permission": "full_access",
      "domain_id": null,
      "created_at": "2026-06-23T10:00:00.000Z",
      "last_used_at": "2026-06-25T17:09:51.813Z"
    }
  ]
}
```
