Admin API

API keys

Create an API key

POST /v1/admin/keys
Authorization: Bearer <token>

Permission required: api_keys:create

Field	Type	Required	Description
name	string	Yes	Key name (e.g., production-backend)
scopes	string[]	No	Permission subset (default: all user permissions)

The response includes the full key — shown only once:

{
  "id": "550e8400-...",
  "name": "production-backend",
  "key": "bsk_live_a1b2c3d4e5f6...",
  "key_prefix": "bsk_live_a1b2c3d4",
  "scopes": ["credentials:issue", "credentials:verify"]
}

List API keys

GET /v1/admin/keys
Authorization: Bearer <token>

Revoke an API key

DELETE /v1/admin/keys/:id
Authorization: Bearer <token>

Permission required: api_keys:revoke

---

Webhooks

Register a webhook

POST /v1/admin/webhooks
Authorization: Bearer <token>

Permission required: webhooks:manage

Field	Type	Required	Description
url	string	Yes	Webhook endpoint URL
events	string[]	Yes	Events to subscribe to
secret	string	No	HMAC signing secret (auto-generated if omitted)

Webhook events

Event	Description
credential.issued	Credential was issued
credential.revoked	Credential was revoked
credential.verified	Credential was verified
consent.granted	Consent recorded
consent.revoked	Consent revoked
member.invited	Team invitation sent
member.joined	Member accepted invitation
member.removed	Member removed
member.role_changed	Member’s role changed

List webhooks

GET /v1/admin/webhooks
Authorization: Bearer <token>

Delete a webhook

DELETE /v1/admin/webhooks/:id
Authorization: Bearer <token>

---

Usage

GET /v1/admin/usage?months=6
Authorization: Bearer <token>

Permission required: usage:view

Response

{
  "current": {
    "month": "2026-03-01",
    "credentials_issued": 42,
    "credentials_verified": 15,
    "api_calls": 300
  },
  "limit": {
    "tier": "startup",
    "max_credentials_per_month": 1000,
    "max_dids": 5,
    "max_members": 5,
    "credentials_remaining": 958,
    "dids_used": 2,
    "members_count": 3
  },
  "history": [
    { "month": "2026-02-01", "credentials_issued": 100, "credentials_verified": 50, "api_calls": 800 }
  ]
}

---

Billing

Get billing info

GET /v1/admin/billing
Authorization: Bearer <token>

Permission required: tenant:manage

Upgrade tier

POST /v1/admin/billing/upgrade
Authorization: Bearer <token>

Field	Type	Required	Description
tier	string	Yes	developer, startup, business, enterprise
billing_email	string	No	Billing contact email

Pricing tiers

Tier	Monthly	Credentials/mo	DIDs	Members
Developer	Free	100	1	1
Startup	$49 CAD	1,000	5	5
Business	$199 CAD	10,000	25	25
Enterprise	Custom	Unlimited	Unlimited	Unlimited

---

Custom domains

Add a domain

POST /v1/admin/domains
Authorization: Bearer <token>

Permission required: tenant:manage

Field	Type	Required	Description
domain	string	Yes	Custom domain (e.g., credentials.yourcompany.com)

Returns a verification_token — add it as a DNS TXT record to verify.

Verify a domain

POST /v1/admin/domains/:id/verify
Authorization: Bearer <token>

List domains

GET /v1/admin/domains
Authorization: Bearer <token>

Remove a domain

DELETE /v1/admin/domains/:id
Authorization: Bearer <token>

---

Credential templates

List templates

GET /v1/templates
Authorization: Bearer <token>

Returns your tenant’s custom templates plus gallery templates.

Browse gallery

GET /v1/templates/gallery
Authorization: Bearer <token>

Pre-built templates: Canadian Digital ID, Driver License, Health Card, University Degree, Employment Credential, Age Verification (SD-JWT), EU PID (SD-JWT).

Create a template

POST /v1/templates
Authorization: Bearer <token>

Field	Type	Required	Description
name	string	Yes	Template name
description	string	Yes	Description
format	string	Yes	jwt_vc_json or vc+sd-jwt
types	string[]	Yes	Credential types
schema	object	Yes	JSON Schema for claims
sample_claims	object	No	Example claims

---

Sandbox

Provision sample data

POST /v1/sandbox/provision
Authorization: Bearer <token>

Creates sample data for quick evaluation: a DID, two sample credentials (JWT-VC + SD-JWT VC), and a consent record.

{
  "status": "provisioned",
  "provisioned": [
    { "resource": "did", "id": "did:key:z6Mk...", "details": "Ed25519 did:key" },
    { "resource": "credential", "id": "...", "details": "Sample CanadianDigitalID (JWT-VC)" },
    { "resource": "credential", "id": "...", "details": "Sample CanadianDigitalID (SD-JWT VC)" },
    { "resource": "consent", "id": "sample", "details": "Sample consent for identity verification" }
  ]
}

---

See also

• Security Model concept — API key security, tenant isolation
• Compliance Frameworks concept — compliance requirements for admin
• Console Guide — dashboard overview