All key-management endpoints require your Supabase JWT in Authorization: Bearer .... They’re reached at https://api.atlasvpn.live. These are distinct from the CONNECT auth — which uses your proxy keyId:secret, not a JWT. The same endpoints back the /developer dashboard, so everything the UI can do, you can automate.

POST /api/v1/proxy/keys

Mint a new proxy key. Secret is returned once in the response — never retrievable again. 
curl -X POST https://api.atlasvpn.live/api/v1/proxy/keys \
     -H "Authorization: Bearer $SUPABASE_JWT" \
     -H "Content-Type: application/json" \
     -d '{"label": "prod-scraper", "tier": "developer", "liveMode": true}'
key.keyId
string
Public key identifier, e.g. avp_live_abc123.... Safe to log and paste in support tickets.
key.secret
string
64-char hex secret. Shown once. Store in your password manager or env var.
key.basicAuth
string
Pre-concatenated keyId:secret pair for drop-in use in a proxy URL.

GET /api/v1/proxy/keys

List all keys owned by the authenticated user. Returns summaries — never secrets. 
curl https://api.atlasvpn.live/api/v1/proxy/keys \
     -H "Authorization: Bearer $SUPABASE_JWT"
Returns an array of: 
{
  "id": "<uuid>",
  "keyId": "avp_live_abc123...",
  "label": "prod-scraper",
  "tier": "developer",
  "liveMode": true,
  "bandwidthUsedThisPeriodBytes": 1234567890,
  "bandwidthLimitBytes": 5000000000,
  "rateLimit": 10,
  "active": true,
  "lastUsedAt": "2026-04-25T10:12:03Z",
  "createdAt": "2026-04-20T08:55:17Z"
}

POST /api/v1/proxy/keys/:id/rotate

Rotate the secret on an existing key. The keyId stays the same — so your developer config doesn’t need to change — but the secret is replaced. Old secret stops being accepted within 30 seconds. 
curl -X POST https://api.atlasvpn.live/api/v1/proxy/keys/<id>/rotate \
     -H "Authorization: Bearer $SUPABASE_JWT"
Response shape identical to POST /keys. See Rotating secrets for the full rotation runbook.
Rate-limited to 5 rotations per minute per user. Legitimate rotation scenarios don’t need more than this; rapid repeated rotation is almost always a mistake.

DELETE /api/v1/proxy/keys/:id

Soft-delete. The key stops accepting traffic immediately, but the DB row is preserved so historical usage events still link to a valid apiKeyId. Not reversible from the developer API — only admins can re-activate a deleted key (via POST /admin/proxy/keys/:id/reactivate). 
curl -X DELETE https://api.atlasvpn.live/api/v1/proxy/keys/<id> \
     -H "Authorization: Bearer $SUPABASE_JWT"

GET /api/v1/proxy/usage

Aggregate usage for the current calendar month, across all your keys. 
{
  "totalBandwidthBytes": 1234567890,
  "totalRequests": 42,
  "activeKeys": 3,
  "tierBreakdown": { "developer": 2, "team": 1 }
}
Use this for your internal dashboard / billing reconciliation. For per-key detail, see Usage.