Client Encryption Keys
Client Encryption Keys are asymmetric key pairs generated by Basis Theory for encrypting sensitive data on the client side. The public key is used to encrypt data in your frontend (e.g., with Elements), and the encrypted payload can be sent to your backend and then to Basis Theory for secure storage or processing.
API Endpoints
Create Key
Create a new key. The public key is only returned when creating a key.
Permissions
keys:create
Request
- cURL
- Node
- C#
- Java
- Python
- Go
curl -X POST "https://api.basistheory.com/keys" \
-H "BT-API-KEY: <MANAGEMENT_API_KEY>" \
-H "Content-Type: application/json" \
-d '{
"expires_at": "2026-05-01T00:00:00Z"
}'
await client.keys.create({
expires_at: "2026-05-01T00:00:00Z"
});
await client.Keys.CreateAsync(new ClientEncryptionKeyRequest {
ExpiresAt = DateTimeOffset.Parse("2026-05-01T00:00:00Z")
});
new KeysClient(ClientOptions.builder().build())
.create(ClientEncryptionKeyRequest.builder()
.expiresAt(OffsetDateTime.parse("2026-05-01T00:00:00Z"))
.build());
client.keys.create(expires_at="2026-05-01T00:00:00Z")
key, err := client.Keys.Create(ctx, &basistheory.ClientEncryptionKeyRequest{
ExpiresAt: timePtr(time.Date(2026, 5, 1, 0, 0, 0, 0, time.UTC)),
})
Request Body
| Field | Type | Required | Description |
|---|---|---|---|
| expires_at | string | No | Expiration date (ISO 8601). Max 1 year. |
Response
Returns a Key if successful. Returns an error if there were validation errors.
{
"id": "b1e2c3d4-5678-1234-9abc-def012345678",
"publicKeyPEM": "-----BEGIN PUBLIC KEY-----\nWQ4geAENWHyR7+g94nN6lFZzY7YdGWxPtlX/16fJ4z0=\n-----END PUBLIC KEY-----",
"expires_at": "2026-05-01T00:00:00Z"
}
List Keys
List all keys for the current tenant. The public key is not included in the response.
Permissions
keys:read
Request
- cURL
- Node
- C#
- Java
- Python
- Go
curl "https://api.basistheory.com/keys" \
-H "BT-API-KEY: <MANAGEMENT_API_KEY>"
await client.keys.list();
await client.Keys.ListAsync();
new KeysClient(ClientOptions.builder().build()).list();
client.keys.list()
keys, err := client.Keys.List(ctx)
Response
Returns an array of Key.
[
{
"id": "b1e2c3d4-5678-1234-9abc-def012345678",
"publicKeyPEM": "-----BEGIN PUBLIC KEY-----\nWQ4geAENWHyR7+g94nN6lFZzY7YdGWxPtlX/16fJ4z0=\n-----END PUBLIC KEY-----",
"expires_at": "2026-05-01T00:00:00Z"
}
]
Get Key by ID
Get a key by ID. The public key is not included in the response.
Permissions
keys:read
Request
- cURL
- Node
- C#
- Java
- Python
- Go
curl "https://api.basistheory.com/keys/{id}" \
-H "BT-API-KEY: <MANAGEMENT_API_KEY>"
await client.keys.get("{id}");
await client.Keys.GetAsync("{id}");
new KeysClient(ClientOptions.builder().build()).get("{id}");
client.keys.get("{id}")
key, err := client.Keys.Get(ctx, "{id}")
Response
Returns a Key. Returns an error if the key does not exist.
{
"id": "b1e2c3d4-5678-1234-9abc-def012345678",
"publicKeyPEM": "-----BEGIN PUBLIC KEY-----\nWQ4geAENWHyR7+g94nN6lFZzY7YdGWxPtlX/16fJ4z0=\n-----END PUBLIC KEY-----",
"expires_at": "2026-05-01T00:00:00Z"
}
Delete Key
Delete a key by ID.
Permissions
keys:delete
Request
- cURL
- Node
- C#
- Java
- Python
- Go
curl -X DELETE "https://api.basistheory.com/keys/{id}" \
-H "BT-API-KEY: <MANAGEMENT_API_KEY>"
await client.keys.delete("{id}");
await client.Keys.DeleteAsync("{id}");
new KeysClient(ClientOptions.builder().build()).delete("{id}");
client.keys.delete("{id}")
err := client.Keys.Delete(ctx, "{id}")
Response
Returns no content (204). Returns an error if the key does not exist.
Key Object
| Attribute | Type | Description |
|---|---|---|
| id | string | Unique identifier for the key |
| public_key_pem | string | The public key in PEM format |
| expires_at | string | When this key expires (ISO 8601) |