Your secret key as a Bearer token:
Authorization: Bearer ak_…. Keys are prefixed ak_. There is one active key per organization.Store your key as an environment variable (
THRAD_ADS_API_KEY in these docs) and never commit it to source control. The full secret is shown only once, at the moment you create or rotate it.Making an authenticated request
Send the key in theAuthorization header on every call. The canonical check is GET /v1/ad_account, which returns the organization’s default ad account.
Authentication errors
A missingAuthorization header, a malformed header, or an unknown / expired / revoked key all return 401 with the bare error shape. The response is intentionally uniform — the API never reveals why a key was rejected, so it cannot be used as an oracle to distinguish an unknown key from an expired or revoked one.
| Status | Code | When |
|---|---|---|
401 Unauthorized | auth_required | No Authorization header was sent. |
401 Unauthorized | invalid_api_key | The header is malformed, or the key is unknown, expired, or revoked. Also returned once the owning organization is deleted. |
Rate limits
Throttling is per key (not per IP and not per organization), so the two keys that briefly coexist during a rotation each get their own budget.| Scope | Limit |
|---|---|
All /v1/ requests | 1000 / hour per key |
POST /v1/campaigns (charging endpoint) | 60 / hour per key, on top of the 1000/hour bucket |
429 with type: "rate_limit_error" and code rate_limit_exceeded.
429 Too Many Requests
Managing keys
API keys are created and managed from the Thrad Platform dashboard under Settings → API keys. Only organization owners and admins can mint, rotate, or revoke a key.Create
Mint the organization’s one active key. The secret is shown once.
Rotate
Mint a replacement. The previous key stays valid for a 30-minute grace window.
Revoke
Disable a key immediately, with no grace period.
/v1/, under the internal Platform API at https://api.thrad.ai/api/organizations/{org_public_id}/api-keys/. They are JWT/dashboard-gated (an ak_ key cannot call them) and they speak the platform { success, data, error, meta } envelope — unlike the bare /v1/ surface. Most advertisers never call these directly; the dashboard does it for you.
Create or rotate
A
POST mints a new key. If an active key already exists, it is rotated: the prior key is kept valid for the grace window, and the new key’s secret is returned once in the response. Copy it immediately — it is never shown again.Store the secret
Save the
secret as THRAD_ADS_API_KEY. Subsequent list calls only ever return the masked key_preview, never the full secret.Create / rotate a key
POST /api/organizations/{org_public_id}/api-keys/
The organization’s public UUID.
A dashboard JWT (
Bearer <jwt>). Owner or admin role required.Optional human-readable label for the key (100 characters or fewer).
List keys
GET /api/organizations/{org_public_id}/api-keys/
Returns the organization’s active key with the secret masked.
Revoke a key
DELETE /api/organizations/{org_public_id}/api-keys/{key_public_id}/
The organization’s public UUID.
The
public_id of the key to revoke.Rotation keeps the old key alive for a 30-minute grace window so an accidental rotation does not break a live integration outright. Revocation is immediate — use it the moment a key is compromised.
Response fields
The key’s public UUID. Use this as
{key_public_id} when revoking.The label given at creation (may be empty).
Whether the key is currently active. A rotated-out key reads
false during its grace window; a revoked key reads false immediately.Masked preview of the key for display — the first 6 characters, an ellipsis, then the last 4 (e.g.
ak_9bj…7f3c). Never the full secret.The full
ak_… secret. Returned only on the create/rotate response, never again.ISO 8601 timestamp (e.g.
"2026-04-02T12:00:00Z") of the key’s last authenticated request, or null if never used.ISO 8601 timestamp at which the key expires.
null for an active key; set to the end of the grace window after a rotation, or to the moment of revocation.ISO 8601 timestamp when the key was created.
