API credentials | Pyro Docs

What API keys are for#

API keys let scripts and other clients talk to the Game Server Panel API on your behalf, so you can automate things like deployments, backups, or monitoring without logging in by hand each time. They are a panel feature rather than a billing one, so you create and manage them in your panel account, not at portal.pyro.host. Look for the API Keys page under your account settings, alongside your profile and security and SSH keys.

An API key carries the same access as your account, so treat the secret like a password. If you only need shell or file access to a server rather than the full API, an SSH key is usually the better fit.

Creating an API key#

On the API Keys page, click Create API Key and fill in the dialog that appears. Every key needs a Description of at least 4 characters. The description is the only label you get in the list later on, so pick something that tells you where the key is used, for example backup script or uptime monitor.

You can also fill in Allowed IPs to limit where the key works from. Enter one address per line, and CIDR ranges are accepted if you want a single entry to cover a block of addresses:

text

198.51.100.42
203.0.113.0/24

If you leave the field blank, the key works from any IP. Restricting a key to the address of the machine that will use it is a good habit, since a leaked key is then useless from anywhere else.

Your key is shown once#

As soon as you create the key, the panel shows the full secret in a popup. This is the only time you will see it, so copy it right away and store it somewhere safe like a password manager or a secret store.

Back in the list, each key shows only its identifier, the short prefix at the start of the token. The eye icon next to a key reveals that identifier, but it never reveals the secret part, so seeing the prefix is not enough to use the key.

If you lose the secret, there is no way to recover it. Create a new key and revoke the old one instead.

Managing your keys#

The list shows each key with its description, its identifier, and when it was last used. A key that has never made a request shows Never under last used, which is a quick way to spot keys you set up but never wired in. Reviewing this list now and then helps you delete keys you no longer need.

Revoking a key#

To revoke a key, use the delete button on its row and confirm in the Delete API Key dialog. Deleting a key invalidates it everywhere at once, so any client or script still using it stops working straight away. If a service still needs access, create a replacement key first and switch it over before you delete the old one.