Source: https://datafa.st/docs/api/account/website-keys/create
Markdown source: https://datafa.st/docs/api/account/website-keys/create.md
Description: Create a df_ website API key. The raw key is returned once.

# Create website key

`POST https://datafa.st/api/v1/admin/websites/{websiteId}/apikeys`

Create a new `df_` website API key. The full key is returned **once** — store it securely. Maximum 10 keys per website.

Use website keys for single-site integrations that should not manage the broader account.

## Request

#### Path parameters

| Parameter | Type | Required | Description |
| --- | --- | --- | --- |
| `websiteId` | string | — | Website ObjectId. From [List websites](/docs/api/account/websites/list) (`_id` field). Example: `665f0b3c4d2e1a0012345678`. |

#### Body parameters

| Field | Type | Required | Description |
| --- | --- | --- | --- |
| `name` | string | No | Label for the API key in the dashboard. Example: `"Production backend"`. Omit for `null`. |

#### Example request body

```json
{
  "name": "Production backend"
}
```

The response includes `key` once — store it as `df_...` for Website API calls.

## Response

Returns a JSON object with `status: "success"` and endpoint-specific fields in `data`.

#### Response fields

| Field | Type | Description |
| --- | --- | --- |
| `data[]._id` | string | Website API key ObjectId. |
| `data[].name` | string\|null | Human-readable name for the resource or event. The exact meaning depends on the endpoint. |
| `data[].displayKey` | string | Masked key shown in the dashboard. |
| `data[].websiteId` | string | Website ObjectId used by account tokens to choose which website to query or manage. |
| `data[].lastUsedAt` | string\|null | Last usage timestamp. |
| `data[].createdAt` | string | Creation timestamp. |
| `data[].key` | string | Only returned when creating or rolling a key. Full raw key shown once. |

### Authentication

Use a `dft_` account token with `api-keys:write`.

A `df_` website API key for the same website can also call this route when the path `websiteId` matches the key's website. Write access with a `df_` key is capped at **member** level — owner-only actions such as [team management](/docs/api/account/team) require a `dft_` token and owner role.

### Errors

**400** — Key limit reached (max 10 per website).

See [API errors](/docs/api#errors) for the standard error envelope, auth failures, validation errors, permission errors, and rate limits.

## Code examples

### Example request

```bash
curl -X POST "https://datafa.st/api/v1/admin/websites/{websiteId}/apikeys" \
  -H "Authorization: Bearer dft_xxx" \
  -H "Content-Type: application/json" \
  -d '{"name":"Production key"}'
```

### Success response

```json
{
  "status": "success",
  "data": [{
    "_id": "665f0b3c4d2e1a0012345678",
    "name": "Production key",
    "displayKey": "df_ab12...xyz9",
    "websiteId": "665f0b3c4d2e1a0012345678",
    "key": "df_full_key_shown_once"
  }]
}
```