> ## Documentation Index
> Fetch the complete documentation index at: https://ownpay.org/docs/llms.txt
> Use this file to discover all available pages before exploring further.

> ## Agent Instructions
> OwnPay is licensed under AGPL-3.0 and is completely free - no licensing fees.
> Production docs URL: https://ownpay.org/docs - append .md to any page URL for clean markdown.
> OwnPay requires PHP 8.3+, MySQL/MariaDB, and Redis.
> MCP server available at https://ownpay.org/docs/mcp for programmatic documentation queries.
> Use root-relative links (e.g. /quickstart) for internal navigation - do NOT include /docs prefix.
> Plugin development: consult /developer/plugin-types/ pages for correct interfaces and manifests.

# List API Keys

> Lists metadata for all API keys created for the brand. Full key secrets are hashed and never returned in list metadata for security.
**Requires special admin authorization**: API key must possess `write` and `admin` scopes, and the `X-Super-Admin-Email` header
must identify an active superadmin user.




## OpenAPI

````yaml /api/merchant_api.yaml get /api-keys
openapi: 3.1.0
info:
  title: OwnPay Merchant API
  description: >
    The OwnPay Merchant API enables merchants to programmatically interface with
    their white-labeled payment gateway.

    It exposes endpoints to initiate payments (creating payment intents), query
    transaction statuses, issue full or partial refunds, manage customer
    profiles securely in compliance with GDPR and OWASP, generate and revoke API
    keys, and test/audit webhook delivery attempts.


    ### Authentication

    Authentication is performed via HTTP Bearer token in the `Authorization`
    header.

    ```http

    Authorization: Bearer your_api_key_here

    ```

    API keys carry specific privilege scopes (e.g., `read`, `write`, `admin`).

    Some administrative operations (like listing/generating API keys) require
    **both** `write` and `admin` scopes, as well as passing a valid platform
    super-administrator's email address in the `X-Super-Admin-Email` header for
    safety.
  version: 1.0.0
servers:
  - url: https://{brand_domain}/api/v1
    description: Sandbox or Production white-labeled brand gateway API server.
    variables:
      brand_domain:
        default: ownpay.org
        description: The custom domain configured for your white-labeled brand.
security:
  - BearerAuth: []
paths:
  /api-keys:
    get:
      summary: List API Keys
      description: >
        Lists metadata for all API keys created for the brand. Full key secrets
        are hashed and never returned in list metadata for security.

        **Requires special admin authorization**: API key must possess `write`
        and `admin` scopes, and the `X-Super-Admin-Email` header

        must identify an active superadmin user.
      operationId: listApiKeys
      parameters:
        - name: X-Super-Admin-Email
          in: header
          required: true
          description: Email of an active platform super-administrator.
          schema:
            type: string
      responses:
        '200':
          description: API key metadata objects list.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiKeysListResponse'
        '400':
          description: Missing superadmin email header.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiSingleErrorResponse'
        '401':
          description: Unauthorized request (e.g. missing API key).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiSingleErrorResponse'
        '403':
          description: >-
            Insufficient privileges (key lacks scopes or email is not an active
            superadmin).
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiSingleErrorResponse'
components:
  schemas:
    ApiKeysListResponse:
      type: object
      properties:
        success:
          type: boolean
          example: true
        data:
          type: array
          items:
            type: object
            properties:
              id:
                type: integer
                example: 4
              name:
                type: string
                example: POS-System-Integration
              prefix:
                type: string
                example: op_live_5gH2
              status:
                type: string
                example: active
              last_used:
                type: string
                format: date-time
                nullable: true
                example: '2026-06-23T14:18:22Z'
              expires_at:
                type: string
                format: date-time
                nullable: true
                example: null
              created_at:
                type: string
                format: date-time
                example: '2026-06-21T09:00:00Z'
    ApiSingleErrorResponse:
      type: object
      properties:
        success:
          type: boolean
          example: false
        error:
          type: string
          example: Payment not found
        errors:
          type: array
          items:
            type: object
            properties:
              code:
                type: string
                example: PAYMENT_NOT_FOUND
              message:
                type: string
                example: Payment not found
              field:
                type: string
                nullable: true
                example: null
        request_id:
          type: string
          example: 8f5a2e9b0c7d4e5f
  securitySchemes:
    BearerAuth:
      type: http
      scheme: bearer
      description: Provide the Bearer API Key generated for your brand.

````

## Related topics

- [Generate API Key](/docs/api-reference/generate-api-key.md)
- [Revoke API Key](/docs/api-reference/revoke-api-key.md)
- [List Customers](/docs/api-reference/list-customers.md)
- [List Refunds](/docs/api-reference/list-refunds.md)
- [List Transactions](/docs/api-reference/list-transactions.md)
