Skip to main content
API keys let you access the Astral API programmatically — for example, to build custom dashboards, automate athlete management, or connect Astral to third-party tools your coaching team uses. Each key is tied to your organization and can be given an optional expiration date.

Who can manage API keys

Only the head coach of an organization can create, list, and revoke API keys. Regular coaches and athletes do not have access to this feature. API key management also requires that your organization is on a plan that includes the security settings feature (Coach tier or above).

Create an API key

1

Go to security settings

In the Astral app, open your organization settings and navigate to Security.
2

Create a new key

Click New API key. Give the key a descriptive name so you can identify it later (for example, “Analytics integration” or “Roster sync script”).
3

Set an expiration date (optional)

You can set a date when the key will automatically expire. Leaving this blank creates a key that doesn’t expire. Using expiration dates is recommended for keys used in automated scripts.
4

Copy your key

After the key is created, copy the secret value shown on screen. This is the only time the full key is displayed. Store it securely — Astral does not show the key value again after you close this screen.
Via the API: 
POST /api/v1/organizations/{org_id}/api-keys
Authorization: Bearer <your_token>
Content-Type: application/json

{
  "name": "Analytics integration",
  "expires_at": "2027-01-01T00:00:00Z"
}
The secret field in the response is only returned once at creation time. Store it immediately in a secure location such as a secrets manager or environment variable. If you lose the key, you’ll need to revoke it and create a new one.

List API keys

You can view all active API keys for your organization to audit which integrations are connected. Via the API: 
GET /api/v1/organizations/{org_id}/api-keys
Authorization: Bearer <your_token>
The list shows each key’s name, ID, creation date, and expiration date. The secret value is never returned when listing keys.

Revoke an API key

Revoking a key immediately disables it. Any requests made with that key after revocation will be rejected. Use this if a key is no longer needed or if you believe it has been compromised. In the app: Go to SettingsSecurity, find the key in the list, and click Revoke. Via the API: 
DELETE /api/v1/organizations/{org_id}/api-keys/{key_id}
Authorization: Bearer <your_token>

Use an API key in requests

Include your API key in the Authorization header of each request using the Bearer scheme: 
curl https://app.nexrex.ai/api/v1/organizations/{org_id}/members \
  -H "Authorization: Bearer astral_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
Replace astral_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx with your actual key secret.

Security best practices

  • Use one key per integration. Create a separate key for each script or tool rather than sharing a single key. This makes it easy to revoke access for one integration without affecting others.
  • Set expiration dates. For automated scripts or one-time imports, set a key to expire when the task is complete.
  • Store keys securely. Keep keys in environment variables or a secrets manager. Never hard-code them in source files or commit them to version control.
  • Rotate keys regularly. Even if a key hasn’t been compromised, rotating it periodically reduces your exposure window.
  • Revoke unused keys. Regularly review your key list and revoke any keys that are no longer in use.
If you think a key may have been exposed, revoke it immediately and create a new one. Astral has no way to recover or re-display a key secret after it’s been created.