> ## Documentation Index
> Fetch the complete documentation index at: https://developers.dealroom.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Create API key

> Provisions an Auth0 application and returns the client credentials.

**Key types:**

- `m2m` (default) — Machine-to-Machine, uses `client_credentials` grant. Suitable for server-side integrations. Returns `client_id` + `client_secret`. The secret is shown only once — store it securely.
- `application` — Browser SPA, uses Authorization Code + PKCE. Users authenticate via Auth0 Universal Login; effective scopes = `user.permissions ∩ key.permissions`. **Read-only** — all permissions must start with `read:`. Returns `client_id` only (no secret). Requires `allowed_origins` and `allowed_callback_urls`.

**Calling the API with the created M2M key:** subsequent API requests must include an `Authorization` bearer token (obtained by exchanging the key's `client_id` + `client_secret` at the Auth0 token endpoint) and `X-Client-Id` set to the issued `client_id`. Application (SPA) keys use Authorization Code + PKCE instead — see the Authentication guide.



## OpenAPI

````yaml /mintlify/openapi.yaml post /api/platform/api-keys
openapi: 3.1.0
info:
  title: Dealroom API
  version: '2026-07-06'
  description: >-
    REST API for the Dealroom platform — companies, funds, founders, investors,
    funding rounds, valuations, taxonomy, news, and aggregate analytics across
    all of them. Authentication uses Auth0 (Bearer JWT or OAuth2
    client_credentials). All endpoints are versioned via the `API-Version`
    header (Stripe-style date-based versioning).
  contact:
    name: Dealroom API support
    email: support@dealroom.co
    url: https://dealroom.co
  termsOfService: https://dealroom.co/terms
  license:
    name: Proprietary — Dealroom commercial license
    url: https://dealroom.co/terms
servers:
  - url: https://api-next.dealroom.co
    description: Production
  - url: https://api-next.beta.dealroom.co
    description: Beta
  - url: https://api-next.staging.dealroom.dev
    description: Staging
security:
  - bearerAuth: []
  - oauth2: []
tags:
  - name: Discovery
    description: API root discovery and functional namespaces.
  - name: Entities
    description: >-
      Companies, investors, people, universities, and other organisations.
      Filter, sort, and paginate the unified entity index. The term `investor`
      refers to the investment firm; `fund` refers to the capital vehicle it
      raises.
  - name: Companies
    description: >-
      Company profiles — the `organization_subtype = company` subset of entities
      (excludes investors, universities, and gov/NGOs). Same response shape as
      the entity index, scoped to companies.
  - name: Universities
    description: >-
      University profiles — the `organization_subtype = university` subset of
      entities. The `university` sub-object carries alumni metrics.
  - name: Government & NGO
    description: >-
      Government bodies and NGOs — the `organization_subtype = gov_ngo` subset
      of entities.
  - name: Transactions
    description: >-
      Funding rounds, equity events, debt, grants, exits, and other
      company-level financial events.
  - name: Valuations
    description: Company valuation history by year and month.
  - name: Investors
    description: >-
      Investor profiles (VCs, corporates, angels, family offices, governments).
      Subset of entities where `is_investor = true`. An investor is the firm
      that makes investments; the capital vehicles it raises are funds available
      via `/investors/{id}/funds`.
  - name: Funds
    description: >-
      Funds — the capital vehicles investor firms raise (e.g. "Fund III", $200M,
      2024). Browse/filter by manager, type, size, and vintage; each fund links
      to its manager (GP). Fund size (`amount`) converts to the requested
      `?currency=` (default USD); `amount_source` carries the original
      native-currency amount.
  - name: People
    description: >-
      Person profiles (founders, executives, angels, and others). Subset of
      entities where `entity_type = 'person'`. Same response shape as founders,
      with company associations, education, and backgrounds.
  - name: Founders
    description: >-
      Founder profiles with company associations and education history. Subset
      of entities where `is_founder = true`.
  - name: News
    description: Curated news articles about companies, funds, deals, sectors, and events.
  - name: Jobs
    description: Active job openings posted by companies, with hiring-trend signals.
  - name: Aggregate
    description: >-
      Composable single- and multi-metric aggregations across companies, funding
      rounds, valuations, founders, and investors.
  - name: Funding Analytics
    description: 'Purpose-built analytics: 2D heatmaps, round transitions, capital funnels.'
  - name: Timeseries
    description: Yearly entity metrics (employees, revenue, valuation).
  - name: Matching
    description: >-
      Investor matching tool: ranked investor recommendations for a given deal
      profile.
  - name: Filters
    description: >-
      Filter registry discovery and value lookup. Use `/api/reference/filters`
      to discover available filters per scope and
      `/api/reference/filters/:key/values` to look up valid values.
  - name: Account
    description: User profile, authentication introspection, and account settings.
  - name: API Keys
    description: >-
      Self-service API key management. Programmatic (M2M) keys for server-side
      and Application (PKCE) keys for browser SPAs.
  - name: Teams
    description: Team membership and invitation management.
  - name: Usage
    description: Request-count usage analytics per API key for billing and introspection.
  - name: Metrics
    description: >-
      Service observability metrics (OpenTelemetry configuration and runtime
      counters).
  - name: Health
    description: Liveness probe (public, unauthenticated).
  - name: Search
    description: >-
      Cross-resource fuzzy search across companies, investors, people,
      universities, and government & NGO bodies.
  - name: Ecosystems
    description: >-
      Curated entity collections that can be filtered, navigated, and compared.
      Includes nested landscape resources.
  - name: Landscapes
    description: Saved entity lists within an ecosystem (e.g. "top fintech in NL").
  - name: Enhancement Requests
    description: User-submitted profile data corrections routed to Dealroom Data Support.
paths:
  /api/platform/api-keys:
    post:
      tags:
        - API Keys
      summary: Create API key
      description: >-
        Provisions an Auth0 application and returns the client credentials.


        **Key types:**


        - `m2m` (default) — Machine-to-Machine, uses `client_credentials` grant.
        Suitable for server-side integrations. Returns `client_id` +
        `client_secret`. The secret is shown only once — store it securely.

        - `application` — Browser SPA, uses Authorization Code + PKCE. Users
        authenticate via Auth0 Universal Login; effective scopes =
        `user.permissions ∩ key.permissions`. **Read-only** — all permissions
        must start with `read:`. Returns `client_id` only (no secret). Requires
        `allowed_origins` and `allowed_callback_urls`.


        **Calling the API with the created M2M key:** subsequent API requests
        must include an `Authorization` bearer token (obtained by exchanging the
        key's `client_id` + `client_secret` at the Auth0 token endpoint) and
        `X-Client-Id` set to the issued `client_id`. Application (SPA) keys use
        Authorization Code + PKCE instead — see the Authentication guide.
      operationId: createApiKey
      requestBody:
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateApiKey'
            examples:
              m2m:
                summary: Programmatic (M2M) key
                value:
                  type: m2m
                  name: Production data pipeline
                  permissions:
                    - read:entities
                    - read:investors
                    - read:transactions
              application:
                summary: Browser app (PKCE) key — read-only
                value:
                  type: application
                  name: Portfolio dashboard SPA
                  permissions:
                    - read:entities
                    - read:investors
                  allowed_origins:
                    - https://portfolio.example.com
                    - http://localhost:5173
                  allowed_callback_urls:
                    - https://portfolio.example.com/callback
                    - http://localhost:5173/callback
      responses:
        '201':
          description: API key created
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ApiKeyCreatedDetailResponse'
        '400':
          description: >-
            Validation error (e.g. unknown permission, write permission on
            application key)
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '401':
          description: >-
            Authentication required. The `Authorization` header was missing, the
            bearer token was malformed, or the token failed signature / expiry
            validation.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
        '403':
          description: >-
            Authentication succeeded but the caller's token does not include the
            permission required for this operation.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ErrorResponse'
      security:
        - oauth2:
            - create:api-keys
        - bearerAuth:
            - create:api-keys
components:
  schemas:
    CreateApiKey:
      oneOf:
        - type: object
          properties:
            type:
              type: string
              enum:
                - m2m
              description: >-
                Programmatic key using client_credentials grant — server-side
                only.
              example: m2m
            name:
              type: string
              minLength: 1
              maxLength: 100
              description: A human-readable name for the API key
              example: Production integration
            permissions:
              type: array
              items:
                type: string
              minItems: 1
              description: Permissions to grant (must be a subset of your own)
              example:
                - read:entities
                - read:investors
          required:
            - type
            - name
            - permissions
        - type: object
          properties:
            type:
              type: string
              enum:
                - application
              description: >-
                Browser app key using Authorization Code + PKCE. Read-only (all
                permissions must start with 'read:').
              example: application
            name:
              type: string
              minLength: 1
              maxLength: 100
              description: A human-readable name for the API key
              example: Production integration
            permissions:
              type: array
              items:
                type: string
              minItems: 1
              description: Permissions to grant (must be a subset of your own)
              example:
                - read:entities
                - read:investors
            allowed_origins:
              type: array
              items:
                type: string
              minItems: 1
              description: >-
                Origins the CORS middleware allows. Must be HTTPS or
                http://localhost. No path, query, or fragment.
              example:
                - https://app.example.com
                - http://localhost:3000
            allowed_callback_urls:
              type: array
              items:
                type: string
                format: uri
              minItems: 1
              description: OAuth2 redirect URIs registered in Auth0.
              example:
                - https://app.example.com/callback
                - http://localhost:3000/callback
          required:
            - type
            - name
            - permissions
            - allowed_origins
            - allowed_callback_urls
    ApiKeyCreatedDetailResponse:
      type: object
      properties:
        data:
          $ref: '#/components/schemas/ApiKeyCreatedResponse'
      required:
        - data
    ErrorResponse:
      type: object
      properties:
        error:
          type: object
          properties:
            code:
              type: string
            message:
              type: string
            details:
              anyOf:
                - type: array
                  items:
                    type: object
                    properties:
                      path:
                        type: string
                      message:
                        type: string
                    required:
                      - path
                      - message
                - type: object
                  additionalProperties:
                    anyOf:
                      - type: string
                      - type: number
                      - type: boolean
          required:
            - code
            - message
      required:
        - error
    ApiKeyCreatedResponse:
      allOf:
        - $ref: '#/components/schemas/ApiKeyResponse'
        - type: object
          properties:
            client_secret:
              type: string
    ApiKeyResponse:
      type: object
      properties:
        id:
          type: number
        name:
          type: string
        type:
          type: string
          enum:
            - m2m
            - application
        client_id:
          type: string
        permissions:
          type: array
          items:
            type: string
        allowed_origins:
          type:
            - array
            - 'null'
          items:
            type: string
        allowed_callback_urls:
          type:
            - array
            - 'null'
          items:
            type: string
        last_used_at:
          type:
            - string
            - 'null'
        created_at:
          type: string
        created_by:
          type:
            - string
            - 'null'
      required:
        - id
        - name
        - type
        - client_id
        - permissions
        - allowed_origins
        - allowed_callback_urls
        - last_used_at
        - created_at
        - created_by
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: >-
        Auth0 JWT access token. Paste a token obtained from your preferred
        OAuth2 flow. For machine-to-machine use, the OAuth2 client_credentials
        scheme below can mint a token directly from your `client_id` /
        `client_secret` inside the Swagger UI Authorize dialog.
    oauth2:
      type: oauth2
      description: >-
        OAuth2 client-credentials flow against the Dealroom Auth0 tenant. Use
        the `client_id` / `client_secret` from a Programmatic API key. Tokens
        are valid for 24h — Swagger UI will reuse the same token across
        operations.
      flows:
        clientCredentials:
          tokenUrl: https://accounts.dealroom.co/oauth/token
          scopes:
            read:entities: Grant the read:entities permission
            read:transactions: Grant the read:transactions permission
            read:valuations: Grant the read:valuations permission
            read:investors: Grant the read:investors permission
            read:founders: Grant the read:founders permission
            read:dimensions: Grant the read:dimensions permission
            read:timeseries: Grant the read:timeseries permission
            read:aggregate: Grant the read:aggregate permission
            read:funding-analytics: Grant the read:funding-analytics permission
            read:ecosystems: Grant the read:ecosystems permission
            write:ecosystems: Grant the write:ecosystems permission
            delete:ecosystems: Grant the delete:ecosystems permission
            write:landscapes: Grant the write:landscapes permission
            delete:landscapes: Grant the delete:landscapes permission
            read:metrics: Grant the read:metrics permission
            create:api-keys: Grant the create:api-keys permission
            read:api-keys: Grant the read:api-keys permission
            delete:api-keys: Grant the delete:api-keys permission
            admin:api-keys: Grant the admin:api-keys permission
            read:usage: Grant the read:usage permission
            read:news: Grant the read:news permission
            read:jobs: Grant the read:jobs permission
            read:people: Grant the read:people permission
            read:teams: Grant the read:teams permission
            write:teams: Grant the write:teams permission
            delete:teams: Grant the delete:teams permission
            manage:team-members: Grant the manage:team-members permission
            read:search: Grant the read:search permission
            write:ai-features: Grant the write:ai-features permission

````