API keys

API keys live under Settings, API keys. Issuing, rotating, and revoking keys is restricted to owners and admins. Keys are scoped to one organization and attributed to the user who created them.

Create a key with a descriptive name so you can tell them apart later ("CI", "Claude Desktop", "reporting script"). The full token, which starts with `sk_pageref_`, is shown once at creation. Copy it then; PageReflect stores only a hash and a short prefix, so it cannot show you the full value again.

Rotate a key to retire the old secret and get a new one in a single step, then update wherever the key is used. Revoke a key to disable it immediately. Revoke right away if a key is ever pasted into the wrong place or committed to a repo.

Each key has an invocation log showing the calls made with it, recorded with hashed arguments rather than raw values. Use it to confirm a key is being used as expected, or to spot one that should be retired. These keys authenticate the API reference, the MCP server, and the CLI.