API Reference

Auth in 60 seconds

Every request to Cadreen is authenticated via a scoped API key. This page covers how keys work, how to manage them, how workspace isolation is enforced, and what errors to expect.

Auth in 60 seconds

Two commands. Create a key, then use it.

Note

For most users, the easiest way to create and manage keys is through the dashboard. The commands below use the workspace admin API (/api/v1/maas/) for programmatic key management. All other Cadreen operations use the /api/v1/cadreen/ prefix.

Create an API key

curl -X POST https://accomplishanything.today/api/v1/maas/workspaces/{workspace_id}/api-keys \
  -H "Authorization: Bearer $CADREEN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "production"}'

Use it

curl https://accomplishanything.today/api/v1/cadreen/health \
  -H "Authorization: Bearer $CADREEN_API_KEY"

How API keys work

PrefixAll keys are prefixed sk_cadreen_

TransportBearer token in the Authorization header

Workspace scopeKeys are scoped to a workspace — isolation is automatic

One-time viewFull key shown only once at creation time

Access scopeAccess is controlled at the workspace level — all keys in a workspace share the same permissions. Use separate workspaces to isolate access.

Key lifecycle

Four operations. Create gives you a plaintext key. Rotate creates a new key and puts the old one in "rotating" status. Revoke soft-deletes. List shows all keys with status.

Note

These endpoints use the /api/v1/maas/ workspace admin prefix. For interactive key management, use the dashboard. All runtime Cadreen operations (/intent, /setup, /connections, etc.) use the /api/v1/cadreen/ prefix.

Create

Request

curl -X POST https://accomplishanything.today/api/v1/maas/workspaces/{workspace_id}/api-keys \
  -H "Authorization: Bearer $CADREEN_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"name": "production"}'

Response

{
  "id": "key_01abc",
  "key_prefix": "sk_cadreen_",
  "name": "production",
  "plaintext": "sk_cadreen_xxxxxxxxxxxxxxxx",
  "created_at": "2026-06-03T12:00:00Z"
}

Rotate

Request

curl -X POST https://accomplishanything.today/api/v1/maas/workspaces/{workspace_id}/api-keys/{key_id}/rotate \
  -H "Authorization: Bearer $CADREEN_API_KEY"

Response

{
  "id": "key_01def",
  "key_prefix": "sk_cadreen_",
  "name": "production",
  "plaintext": "sk_cadreen_new_key_value_here",
  "rotated_from": "key_01abc"
}

Revoke

Request

curl -X DELETE https://accomplishanything.today/api/v1/maas/workspaces/{workspace_id}/api-keys/{key_id} \
  -H "Authorization: Bearer $CADREEN_API_KEY"

Response

204 No Content

List

Request

curl https://accomplishanything.today/api/v1/maas/workspaces/{workspace_id}/api-keys \
  -H "Authorization: Bearer $CADREEN_API_KEY"

Response

{
  "keys": [
    {
      "id": "key_01abc",
      "name": "production",
      "key_prefix": "sk_cadreen_",
      "created_at": "2026-06-03T12:00:00Z"
    },
    {
      "id": "key_02def",
      "name": "staging",
      "key_prefix": "sk_cadreen_",
      "created_at": "2026-05-01T08:00:00Z"
    }
  ],
  "count": 2
}

Note

Rotation is instant — the old key enters "rotating" status immediately and the new key is active. You get one plaintext view of the new key during rotation. After that, it cannot be retrieved.

Tenant isolation

Every API key is scoped to exactly one workspace

Workspace ID is derived from the key — no extra header needed for Bearer auth

Workspace-level headers are only required for internal/admin endpoints — not the public API

Data between workspaces is fully isolated

Authentication errors

All auth errors return a JSON body with code and message. The code is stable — program against it, not the message text.

HTTPCodeMeaning

401auth_missingNo Authorization header provided

401auth_invalidInvalid or expired API key

401auth_revokedKey has been revoked

401auth_rotatingOld key after rotation — use the new key

403auth_forbiddenKey does not have access to this workspace resource

429rate_limitedToo many requests — retry after Retry-After header

Error response shape

{
  "error": {
    "code": "auth_forbidden",
    "message": "API key does not have access to this workspace resource"
  }
}

SDK usage

The SDK reads the key from your environment. No manual header construction.

TypeScript

import { Cadreen } from "@cadreen/sdk";

const cadreen = new Cadreen({ apiKey: process.env.CADREEN_API_KEY });

Python

from cadreen import Cadreen

cadreen = Cadreen(api_key=os.environ["CADREEN_API_KEY"])

import cadreen "github.com/timothy-billingrails/cadreen-sdks/go/cadreen"

client := cadreen.NewClient(cadreen.CadreenConfig{
    APIKey: os.Getenv("CADREEN_API_KEY"),
})

Note

Need the full endpoint catalog? The API Reference documents every endpoint, parameter, and response schema. The Quickstart walks you through every step.