How to create and manage API keys
API keys authenticate marriska-runner, marriska-agent, and any
direct REST calls. Keys are scoped to one organization and don’t expire
on their own — you control their lifetime.
Create a key
Section titled “Create a key”-
Open Settings → Security → API Keys
You’ll see your existing keys (if any) and a Create API Key button. Only org owners and admins can manage keys; members see the list as read-only.
-
Give the key a name
Names are for you —
CI: smoke runs,Laptop agent,Jenkins nightly. Pick something specific so you can revoke the right key later. -
Copy the full key immediately
The key is shown once in a dialog right after creation. After you close it, only the prefix (
ak_live_••••••••...abcd) is ever displayed again. There’s no “show key” later — if you lose it, create a new one and revoke the old.
Use the key
Section titled “Use the key”The key is a Bearer token. Two ways to pass it:
# As an env var (preferred for CI)export MARRISKA_TOKEN=ak_live_...marriska-runner run --test-set "Smoke"
# Directly via flagmarriska-runner run --test-set "Smoke" --token ak_live_...For raw HTTP calls:
curl -H "Authorization: Bearer ak_live_..." \ https://api.marriska.com/api/v1/cli/test-setsAlways send keys over HTTPS — the production API URL is HTTPS by default.
Store the key as a CI secret
Section titled “Store the key as a CI secret”Never commit a key to a repo. Use your CI provider’s secret store and
inject it as MARRISKA_TOKEN. For GitHub Actions specifically, see
Running tests in GitHub Actions.
See which keys exist and when they were last used
Section titled “See which keys exist and when they were last used”The Security page lists every active key with:
- Name
- Prefix (
ak_live_••••••••••••••••••••••••abcd— the last 4 chars are the only readable part) - Created-at timestamp
- Last-used-at timestamp (updates on every successful auth)
If last-used-at is empty for a key you thought was in use, the key
has never authenticated successfully — usually a copy-paste error or a
revoked-and-not-replaced rotation.
Revoke a key
Section titled “Revoke a key”Hit the trash icon on the row. Revocation is immediate:
- Any in-flight
marriska-runnerinvocation completes its current run. - New auth attempts with the revoked key return
401 Invalid or revoked API key. - The key disappears from the list (revoked keys are hidden, not deleted).
Revocation has no undo. If you revoke the wrong key, create a new one.
Rotate a key
Section titled “Rotate a key”There’s no in-place rotation today; rotate by replacing:
- Create a new key with a clear name (
CI: smoke runs (new)). - Update the secret in every place the old key lives — CI, agent hosts, scripts.
- Trigger a run to confirm the new key works.
- Revoke the old key.
Plan your rotation around your api_keys cap — if you’re already at
the limit, you’ll need to revoke one before creating a new one. See
Plan tier limits.
Hitting the cap
Section titled “Hitting the cap”If you try to create a key beyond your tier’s cap, the API returns
403 with a message naming the limit. Either revoke an unused key or
upgrade. See How to upgrade, downgrade, or cancel.
Related
Section titled “Related”- CLI reference — flags and env vars that consume the key
- Setting up the local agent — running
marriska-agentwith a key - Running tests in GitHub Actions — storing the key as a GitHub secret
- Security model — how keys are stored and matched