Authentication
All API requests use a Bearer token. Keys are minted per app account in the team UI. Open a team in team.yeil.app, go to its app account, then Apps. The secret is shown exactly once on creation; store it somewhere safe. Keys follow the format yk_<keyId>_<secret>.
The same key also authenticates SMTP submission, so no separate credentials are needed.
curl -H "Authorization: Bearer yk_..." \
https://api.yeil.app/v1/dns/zonesPermissions
An app account has two independent permission axes. The record-level scope controls what the key can do with DNS records. The org-level scope controls zone management. Both support a per-zone override that takes precedence over the default.
| Scope | none | read | write |
|---|---|---|---|
| All zones (default) | No access to any zone | List and read records in all zones | Create, update, and delete records in all zones |
| Per-zone override | No access to this zone | List and read records in this zone only | Create, update, and delete records in this zone only |
| Manage zones (org) | No zone management | List zones in this org | Create and delete zones in this org |
A key only sees zones belonging to its own org. Requests targeting another org's zones return 404, not 403.
Revoke or rotate
Revoke a key in the same Apps UI where you created it. To rotate: mint a new key, update your integrations, then delete the old one. There is no forced expiry; keys stay valid until you revoke them.