Accounts API
Manage accounts and API keys.
Authentication
There are two authentication methods:
- Session cookies — set via SSO login through KF Auth, used by the web UI
- API keys —
Authorization: Bearer ul_..., used by apps and scripts
User accounts are created automatically on first sign-in via KF Auth (OIDC SSO). There are no local signup or login endpoints.
API keys have three scopes: read, write, admin. A key can optionally be scoped to a single collection.
GET /api/accounts/me
Auth: session or API key (any scope)
Get the authenticated account.
Response 200
{
"id": "uuid",
"slug": "jdoe",
"type": "user",
"displayName": "Jane Doe",
"email": "[email protected]",
"createdAt": "2026-01-15T00:00:00.000Z"
}GET /api/accounts/:slug
No auth required
Get public profile for any account.
Response 200
{
"id": "uuid",
"slug": "knowledge-futures",
"type": "org",
"displayName": "Knowledge Futures",
"createdAt": "2026-01-15T00:00:00.000Z"
}POST /api/accounts/keys
Auth: session or API key (any scope)
Create a new API key. The raw key is returned only once.
Request
{
"label": "my-sync-script",
"scope": "write",
"collectionId": "uuid (optional — scope key to one collection)"
}Response 201
{
"id": "uuid",
"key": "ul_a1b2c3d4e5...",
"label": "my-sync-script",
"scope": "write",
"collectionId": null
}GET /api/accounts/keys
Auth: session or API key (any scope)
List all API keys for the authenticated account. The raw key is not included.
DELETE /api/accounts/keys/:id
Auth: session or API key (any scope)
Revoke an API key.
Response 200
{"ok": true}