Issue Key
POST /cdp/keys — issue a new vyg_ API key for a brand.
Request
Section titled “Request”POST /cdp/keysContent-Type: application/json| Field | Type | Required | Description |
|---|---|---|---|
brand_id | string | staff only | Target brand. Staff may specify any brand; for a non-staff brand-admin the target is always their own brand and a different brand_id is rejected 403. |
expires_at | string | number | no | Optional expiry — an ISO-8601 string or epoch milliseconds. Omit for no expiry. |
Response 201
Section titled “Response 201”{ "id": "key_abc", "key_prefix": "vyg_AbCd", "brand_id": "brand-uuid", "is_staff": false, "expires_at": null, "revoked_at": null, "created_at": "2026-01-15T00:00:00.000Z", "api_key": "vyg_AbCd…full-plaintext…"}| Field | Type | Description |
|---|---|---|
id | string | The key record id. |
key_prefix | string | Display-safe prefix (shown again on list). |
brand_id | string | The owning brand. |
is_staff | boolean | Whether the key was issued under a staff context. |
expires_at | string | null | Expiry timestamp, or null. |
revoked_at | string | null | Revocation timestamp, or null. |
created_at | string | null | Creation timestamp. |
api_key | string | The plaintext key — returned exactly once. Never returned again; store it immediately. |
Example
Section titled “Example”curl -s -X POST "https://cdp.vyg.app/cdp/keys" \ -H "Authorization: Bearer <session-credential>" \ -H "Content-Type: application/json" \ -d '{ "expires_at": "2027-01-01T00:00:00Z" }'Errors
Section titled “Errors”| Status | When |
|---|---|
400 | brand_id required for a staff operation but omitted, or an invalid expires_at. |
401 | Missing or invalid credential. |
403 | An API key was used for management; a non-staff caller targeted another brand; or no connected Shopify integration resolves a scope for the brand. |
405 | Unsupported method. |
500 | Brand-scope resolution failed. |
See Errors for the full envelope.