API Keys
API keys are machine credentials used by the Hall API server to enroll and authenticate with the pyhall registry. They are scoped to a namespace and cannot be used across namespaces.
Generating a Key
- Go to Dashboard → API Keys.
- Select the namespace from the dropdown.
- Click Generate Key.
- Copy the full API key immediately — it is shown only once. After you leave or reload the page, the plaintext key is gone. Only a hash is stored.
The key format is pyhall_<namespace>_<random>. Store it in your Hall API server’s environment as PYHALL_API_KEY.
Key Scopes
Keys are auto-scoped based on the namespace type:
| Scope | What it authorizes |
|---|---|
hall:enroll | Hall API server enrollment and session renewal |
runtime:delivery | Dispatch verification calls from the Hall API |
All keys receive both scopes. There is no way to create a read-only or partial-scope key — keys are full machine credentials.
Active Keys Table
The keys table shows all non-revoked keys for your namespaces. Each row shows:
| Column | Description |
|---|---|
| Key ID | First 8 characters of the key hash (for identification) |
| Namespace | Which namespace this key is scoped to |
| Scopes | Authorized operations |
| Created | Creation date |
| Last Used | Most recent API call using this key |
| Status | Active or Revoked |
Revoking a Key
Click Revoke on any active key. Revocation is immediate and permanent — the Hall API server using that key will fail to authenticate on the next call. You’ll need to generate a new key and update the server’s environment.
Revoke a key if:
- A key is compromised or accidentally exposed
- A Hall API instance is being decommissioned
- You are rotating credentials as a security practice
Key Limits
Your tier determines how many active API keys you can have per namespace. If you hit the limit, revoke an unused key before generating a new one. Key limits:
| Tier | Keys per Namespace |
|---|---|
| Free | 1 |
| Pro | 10 |
| Org Starter | 25 |
| Org Professional | 50 |
| Org Business | 150 |
| Enterprise | Unlimited |
Security Notes
- Never commit API keys to source control. Use environment variables or a secrets manager.
- Keys are stored as bcrypt hashes in the registry. There is no way to recover a lost key.
- If you lose a key, revoke it and generate a new one.
- API keys are separate from your pyhall account login — losing a key does not affect your account access.