For AI agents: a documentation index is available at the root level at /llms.txt and /llms-full.txt. Append /llms.txt to any URL for a page-level index, or .md for the markdown version of any page.
Logo
Resources
Log inGet a demo
Get startedConnectorsAPI reference
Get startedConnectorsAPI reference
  • Agent Handler
      • GETList access keys
      • POSTCreate access key
      • GETGet access key
      • POSTRegenerate access key secret
      • POSTRevoke access key

Get started

  • Overview
  • Introduction
  • Unified API
  • Linked Account
  • Merge Link
  • Use cases

Implementation

  • Sandboxes
  • SDKs
  • API access
  • Syncing data
  • Writing data
  • Data minimization
  • Supplemental data
  • Errors
  • Integration metadata

API reference

  • ATS
  • HRIS
  • Accounting
  • Ticketing
  • CRM
  • File Storage
  • Knowledge Base
  • Chat

Resources

  • Help Center
  • Merge.dev
  • Changelog
© Merge 2026Terms of usePrivacy policy
UnifiedAgent HandlerGateway
UnifiedAgent HandlerGateway
Resources
Log inGet a demo
Agent HandlerAccess keys

Create access key

POST
https://ah-api.merge.dev/api/v1/access-keys/
POST
/api/v1/access-keys/
$curl -X POST https://ah-api.merge.dev/api/v1/access-keys/ \
>     -H "Authorization: Bearer <token>" \
>     -H "Content-Type: application/json" \
>     -d '{
>  "name": "long-lived",
>  "expires_at": null
>}'
201Full access
1{
2  "id": "3c90c3c0-6d46-4b50-8888-8dd25736052f",
3  "key": "sk_live_lll999...",
4  "key_masked": "sk_live_lll...9f8e",
5  "created_at": "2026-04-29T12:00:00Z",
6  "name": "long-lived",
7  "tool_pack_ids": null,
8  "registered_user_ids": null,
9  "is_test": false,
10  "expires_at": null
11}

Creates a new access key. Can be scoped to specific tool packs and registered users. The new key’s scope must be a subset of the parent key (the access key authenticating this request).

Was this page helpful?
Previous

List access keys

Next

Get access key

Authentication

AuthorizationBearer

Token-based authentication with required prefix “Bearer”

Request

This endpoint expects an object.
namestringOptional<=255 characters

Human-readable label for the key. Auto-generated if omitted.

tool_pack_idslist of strings or nullOptional

Tool packs this key can access. Must be a subset of the parent key’s tool_pack_ids. Pass null for unrestricted access to all tool packs in the organization.

registered_user_idslist of strings or nullOptional

Registered users this key can access. Must be a subset of the parent key’s registered_user_ids. Pass null for unrestricted access to all registered users in the organization.

scopeslist of stringsOptional

Limits which actions this key can perform. Available scopes: runtime:all (MCP tool calls), management:all (resource management endpoints).

is_testbooleanOptionalDefaults to false
If true, the key can only authenticate test registered users.
expires_atdatetime or nullOptional

Expiration timestamp. Must be before the parent key’s expires_at. Defaults to 90 days from now if omitted. Pass null explicitly for a key that never expires.

expires_inintegerOptional>=60

Seconds until the key expires. Alternative to expires_at.

Response

idstringRead-onlyformat: "uuid"
keystring or nullRead-only
Raw secret value. Returned only on create or regenerate.
key_maskedstringRead-only
Truncated form of the secret safe to display in UIs.
created_atdatetimeRead-only
namestring<=255 characters

Human-readable label for the key. Auto-generated if omitted.

tool_pack_idslist of strings or null

Tool packs this key can access. Must be a subset of the parent key’s tool_pack_ids. Pass null for unrestricted access to all tool packs in the organization.

registered_user_idslist of strings or null

Registered users this key can access. Must be a subset of the parent key’s registered_user_ids. Pass null for unrestricted access to all registered users in the organization.

scopeslist of strings

Limits which actions this key can perform. Available scopes: runtime:all (MCP tool calls), management:all (resource management endpoints).

is_testbooleanDefaults to false
If true, the key can only authenticate test registered users.
expires_atdatetime or null

Expiration timestamp. Must be before the parent key’s expires_at. Defaults to 90 days from now if omitted. Pass null explicitly for a key that never expires.