> ## Documentation Index > Fetch the complete documentation index at: https://docs.suprsend.com/llms.txt > Use this file to discover all available pages before exploring further. # Create Workspace Signing Key > Create a signing key for this workspace. The `private_key_pem` and `private_key_base64` fields are returned **only once** at creation. Store them securely — they cannot be retrieved later. Only **one active** signing key is allowed per workspace. To replace an existing active key, use the [Roll Workspace Signing Key](#operation/roll-workspace-signing-key) endpoint instead. ## OpenAPI ````yaml POST /v1/{workspace}/ws_signing_key/ openapi: 3.1.1 info: title: SuprSend API description: APIs supported on suprsend platform version: 1.2.2 servers: - url: https://hub.suprsend.com security: - sec0: [] - BearerAuth: [] paths: /v1/{workspace}/ws_signing_key/: post: summary: Create Workspace Signing Key description: > Create a signing key for this workspace. The `private_key_pem` and `private_key_base64` fields are returned **only once** at creation. Store them securely — they cannot be retrieved later. Only **one active** signing key is allowed per workspace. To replace an existing active key, use the [Roll Workspace Signing Key](#operation/roll-workspace-signing-key) endpoint instead. operationId: create-workspace-signing-key parameters: - in: path name: workspace required: true schema: type: string description: Workspace slug (e.g. `staging`, `production`). responses: '201': description: >- Signing key created. Private key material is returned once in this response. content: application/json: schema: $ref: >- #/components/schemas/ManagementWorkspaceSigningKeyCreateResponse example: id: ws_signk_exampleId01 uid: signing_key_exampleUid01 status: active allowed_domains: null expiry_at: null private_key_pem: | -----BEGIN PRIVATE KEY----- ...redacted... -----END PRIVATE KEY----- private_key_base64: LS0tLS1CRUdJTi...redacted... created_at: '2026-04-21T12:35:24.117631Z' created_by: name: System User email: org_XXXXXXXXXXXXXXXXXXXXXX@systemuser.suprsend.com rolled_at: null rolled_by: null deleted_at: null deleted_by: null '400': description: >- Validation error — for example, an active signing key already exists. content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' example: code: 400 error_code: error type: ValidationError message: '["only 1 active signing key is allowed"]' detail: - only 1 active signing key is allowed '401': $ref: '#/components/responses/AuthenticationError' '404': $ref: '#/components/responses/NotFoundError' security: - ServiceTokenAuth: [] servers: - url: https://management-api.suprsend.com x-codeSamples: - lang: cURL label: Create Workspace Signing Key source: > curl -X POST "https://management-api.suprsend.com/v1/{workspace}/ws_signing_key/" \ --header 'Authorization: ServiceToken ' \ --header 'Content-Type: application/json' components: schemas: ManagementWorkspaceSigningKeyCreateResponse: allOf: - $ref: '#/components/schemas/ManagementWorkspaceSigningKey' - type: object properties: private_key_pem: type: string description: >- PEM-encoded private key. Returned only at creation and on roll — store it securely and never commit to source control. example: | -----BEGIN PRIVATE KEY----- ...redacted... -----END PRIVATE KEY----- private_key_base64: type: string description: >- Base64-encoded private key. Returned only at creation and on roll. example: LS0tLS1CRUdJTi...redacted... ErrorResponse: type: object properties: code: type: integer description: HTTP status code error_code: type: string description: Specific error code identifier type: type: string description: Error type classification message: type: string description: Human-readable error message detail: type: string description: Additional error details ManagementWorkspaceSigningKey: type: object description: Signing key used to verify signed payloads. properties: id: type: string example: ws_signk_exampleId01 uid: type: string description: Signing key uid used in path parameters for roll/delete. example: signing_key_exampleUid01 status: type: string description: Status of the signing key. enum: - active - rolled allowed_domains: type: array nullable: true items: type: string expiry_at: type: string format: date-time nullable: true created_at: type: string format: date-time created_by: $ref: '#/components/schemas/ManagementActor' rolled_at: type: string format: date-time nullable: true rolled_by: $ref: '#/components/schemas/ManagementActor' deleted_at: type: string format: date-time nullable: true deleted_by: $ref: '#/components/schemas/ManagementActor' ManagementActor: type: object description: >- Identity that performed an action (created, updated, rolled, deleted, rotated). nullable: true properties: name: type: string description: Display name of the actor. example: System User email: type: string description: Email address of the actor. example: user@example.com responses: AuthenticationError: description: Authentication failed content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' example: code: 401 error_code: authentication_failed type: AuthenticationFailed message: Invalid service token. detail: Invalid service token. NotFoundError: description: Resource not found content: application/json: schema: $ref: '#/components/schemas/ErrorResponse' example: code: 404 error_code: not_found type: NotFound message: workspace 'demo' not found detail: workspace 'demo' not found securitySchemes: sec0: type: apiKey in: header name: Authorization x-bearer-format: bearer description: >- Bearer authentication header of the form `Bearer `, where is your auth token. BearerAuth: type: http scheme: bearer bearerFormat: API_Key description: >- Pass as `Bearer `. Get API Key from SuprSend dashboard Developers -> API Keys section. ServiceTokenAuth: type: apiKey in: header name: ServiceToken description: >- You can get Service Token from [SuprSend dashboard -> Account Settings -> Service Tokens](https://app.suprsend.com/en/account-settings/service-tokens) section. ````