Manage API keys - Starfort

API keys authorize Guard API calls. They belong to a Guardian in an API project.

Create a key

Open your Guardian → API Keys → Add API Key, give it a name, and Create.

API Keys page with the Add API Key button highlighted

The key is shown once in a confirmation dialog and starts with sf_. Copy it now — it cannot be retrieved later.

Copy the key now — it is shown only once

Treat keys like passwords. The key’s name appears as a tag on every trace, so name keys by caller or environment (e.g. prod-backend). A key name must be unique within the project — across all of its Guardians’ keys — so the name unambiguously identifies the caller in traces.

Key lifecycle

State	Meaning	Transitions
Active	Works normally.	→ Inactive, → Revoked
Inactive	Temporarily disabled by an admin — calls are refused.	→ Active, → Revoked
Revoked	Permanently disabled.	None — irreversible

Active and Inactive toggle freely. Revoke is permanent: a revoked key can’t be reactivated — issue a new key instead. A call with a missing/invalid/revoked key gets HTTP 401 — see Authentication and Errors & states.

Key state vs. Kill Switch

A key’s state and the Kill Switch are independent, and Starfort checks both on every request:

The Kill Switch (on the org, project, or Guardian) blocks traffic even for Active keys while it’s on. Your keys keep their state and resume normally the moment it’s cleared.
While any Kill Switch above a Guardian is on, you also can’t create new keys there.

Author a Guard Policy Control Profiles

​Create a key

​Key lifecycle

​Key state vs. Kill Switch

Create a key

Key lifecycle

Key state vs. Kill Switch