> ## Documentation Index
> Fetch the complete documentation index at: https://apidoc.cometapi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Create an API key

> Use CometAPI POST /api/token/ to create an API key for the authenticated account.

Use this endpoint to create an API key for automation, internal dashboards, or server-side integrations.

<Note>
  Generate a personal access token at [Console → Personal Settings](https://www.cometapi.com/console/personal), then send it as the raw `Authorization` header value. Do not prefix it with `Bearer`.
</Note>

<Warning>
  The create response only confirms success. It does not include the new key record or key value. After creation, call [List API keys](./list-api-keys) to read the newest key record.
</Warning>

## Request body

| Field                  | Type           | Description                                                                                                                                                                                                                               |
| ---------------------- | -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `name`                 | string         | User-readable display name for the key. Must be 50 characters or fewer.                                                                                                                                                                   |
| `expired_time`         | integer        | Unix timestamp in seconds when the key expires. Use `-1` for no expiration.                                                                                                                                                               |
| `remain_quota`         | integer        | Starting quota in CometAPI internal quota units. If this reaches `0` and `unlimited_quota` is `false`, model requests with this key are rejected as quota exhausted.                                                                      |
| `unlimited_quota`      | boolean        | Whether the key bypasses remaining-quota checks. Set `true` only when the key should keep working even if `remain_quota` is `0`.                                                                                                          |
| `model_limits_enabled` | boolean        | Whether to restrict this key to specific models. When `false`, `model_limits` is ignored.                                                                                                                                                 |
| `model_limits`         | string         | Comma-separated model IDs allowed by this key when `model_limits_enabled` is `true`. Use model IDs returned by `/v1/models`; use an empty string for no model restriction.                                                                |
| `allow_ips`            | string or null | Optional IP allowlist. Provide one JSON string with entries separated by newline characters (`\n`). Each entry can be a single IPv4 address, single IPv6 address, IPv4 CIDR, or IPv6 CIDR. Use `null` or `""` to disable IP restrictions. |
| `group`                | string         | Optional account group restriction. Use an empty string for no explicit group. Non-empty values must be available to the account, or the API returns `success: false`.                                                                    |
| `cross_group_retry`    | boolean        | Whether cross-group retry is enabled for automatic group routing. This is only meaningful when the key uses an auto-routed group.                                                                                                         |

## Allowlist format

To allow multiple IPs or CIDR ranges, send them as one JSON string with `\n` between entries:

```json theme={null}
{
  "allow_ips": "198.51.100.10\n203.0.113.0/24\n2001:db8::/32"
}
```

This example allows one IPv4 address, one IPv4 CIDR range, and one IPv6 CIDR range.


## OpenAPI

````yaml api/openapi/api-keys/create-api-key.openapi.json POST /api/token/
openapi: 3.1.0
info:
  title: Create API Key
  version: 1.0.0
servers:
  - url: https://api.cometapi.com
security:
  - accessTokenAuth: []
paths:
  /api/token/:
    post:
      summary: Create a new API key
      description: >-
        Create an API key for the authenticated account. The response confirms
        success but does not include the new key record or key value; call the
        list endpoint after creation to read the record.
      operationId: createApiKey
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateApiKeyRequest'
            examples:
              default:
                summary: Create an API key
                value:
                  name: production
                  expired_time: -1
                  remain_quota: 100000
                  unlimited_quota: false
                  model_limits_enabled: false
                  model_limits: ''
                  allow_ips: null
                  group: ''
                  cross_group_retry: false
              with_ip_allowlist:
                summary: Configure an IP allowlist
                description: >-
                  Use one JSON string and separate multiple IP or CIDR entries
                  with `\n`.
                value:
                  name: production
                  expired_time: -1
                  remain_quota: 100000
                  unlimited_quota: false
                  model_limits_enabled: false
                  model_limits: ''
                  allow_ips: |-
                    198.51.100.10
                    203.0.113.0/24
                    2001:db8::/32
                  group: ''
                  cross_group_retry: false
      responses:
        '200':
          description: Create result.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ResultEnvelope'
              examples:
                success:
                  summary: Created
                  value:
                    success: true
                    message: ''
                name_too_long:
                  summary: Name too long
                  value:
                    success: false
                    message: token name is too long
      x-codeSamples:
        - lang: curl
          label: cURL
          source: |-
            curl https://api.cometapi.com/api/token/ \
              -H "Authorization: your-access-token" \
              -H "Content-Type: application/json" \
              -d '{
                "name": "production",
                "expired_time": -1,
                "remain_quota": 100000,
                "unlimited_quota": false,
                "model_limits_enabled": false,
                "model_limits": "",
                "allow_ips": null,
                "group": "",
                "cross_group_retry": false
              }'
        - lang: curl
          label: cURL with IP allowlist
          source: |-
            curl https://api.cometapi.com/api/token/ \
              -H "Authorization: your-access-token" \
              -H "Content-Type: application/json" \
              -d '{
              "name": "production",
              "expired_time": -1,
              "remain_quota": 100000,
              "unlimited_quota": false,
              "model_limits_enabled": false,
              "model_limits": "",
              "allow_ips": "198.51.100.10\n203.0.113.0/24\n2001:db8::/32",
              "group": "",
              "cross_group_retry": false
            }'
components:
  schemas:
    CreateApiKeyRequest:
      type: object
      properties:
        name:
          type: string
          maxLength: 50
          description: >-
            User-readable display name for the API key. The backend accepts up
            to 50 Unicode characters; longer names return `success: false` with
            `token name is too long`.
          example: production
        expired_time:
          type: integer
          description: >-
            Unix timestamp in seconds when the key expires. Use `-1` for no
            expiration. A past timestamp blocks model requests with this key.
          example: -1
        remain_quota:
          type: integer
          description: >-
            Starting quota for the new key in CometAPI internal quota units. If
            this reaches `0` while `unlimited_quota` is `false`, model requests
            with this key are rejected as quota exhausted.
          example: 100000
        unlimited_quota:
          type: boolean
          description: >-
            Whether the key bypasses remaining-quota checks. Set `true` only
            when the key should keep working even if `remain_quota` is `0`.
          example: false
        model_limits_enabled:
          type: boolean
          description: >-
            Whether to restrict this key to specific models. When `true`, only
            model IDs listed in `model_limits` are allowed. When `false`,
            `model_limits` is ignored.
          example: false
        model_limits:
          type: string
          description: >-
            Comma-separated model IDs allowed by this key when
            `model_limits_enabled` is `true`. Use model IDs returned by
            `/v1/models`, for example `<model-id-1>,<model-id-2>`. Use an empty
            string for no model restriction.
          example: ''
        allow_ips:
          type:
            - string
            - 'null'
          description: >-
            Optional IP allowlist. Provide one JSON string with entries
            separated by newline characters (`\n`). Each entry can be a single
            IPv4 address, single IPv6 address, IPv4 CIDR, or IPv6 CIDR. Example
            for three allowlist entries:
            `198.51.100.10\n203.0.113.0/24\n2001:db8::/32`. CometAPI compares
            the model request client IP to this list. Use `null` or `""` to
            disable IP restrictions.
          example: |-
            198.51.100.10
            203.0.113.0/24
            2001:db8::/32
        group:
          type: string
          description: >-
            Optional account group restriction. Use an empty string for no
            explicit group restriction. Non-empty values must be available to
            the account, or the API returns `success: false` with a `no access
            to group` message.
          example: ''
        cross_group_retry:
          type: boolean
          description: >-
            Whether cross-group retry is enabled for automatic group routing.
            This is only meaningful when the key uses an auto-routed group such
            as `auto`.
          example: false
      additionalProperties: false
    ResultEnvelope:
      type: object
      required:
        - success
        - message
      properties:
        success:
          type: boolean
          description: Whether the create operation succeeded.
          example: true
        message:
          type: string
          description: >-
            Backend status message. The value is usually an empty string on
            success.
          example: ''
  securitySchemes:
    accessTokenAuth:
      type: apiKey
      in: header
      name: Authorization
      description: >-
        Personal access token copied from CometAPI Console > Personal Settings.
        Send the raw token value; do not prefix it with `Bearer`.

````