Max Keys Exceeded
max_keys_exceeded409
The account has reached the 10-key ceiling. Revoke an unused key before creating a new one.
What this means
A request tried to create a new API key but the account already has 10 active keys, which is the per-account ceiling. The new key was not created. Existing keys are unaffected — they continue to work. The fix is to revoke a key you no longer need, then create the new one.
When you'll see this
- An automation is creating ephemeral keys without ever revoking them, accumulating cruft over time.
- Multiple developers on the same account have each created personal keys without cleaning up.
- A previous OAuth-style flow left behind expired-looking but still-active keys.
- A test or CI pipeline is creating keys per run instead of reusing a stable test key.
Learn more about how this works
The 10-key limit exists to keep the security surface manageable. Each active key is something that could be leaked, rotated, or revoked — and accounts that accumulate dozens of stale keys end up with poor hygiene on all of them. Ten keys is enough headroom for development + staging + production + a few specialized integrations per account, but not so many that key management becomes its own problem.
The most common gotcha: "active" doesn't mean "in use." A key that hasn't been called in 6 months still counts against the limit if it's not revoked. Audit your key list periodically and revoke anything you can't identify.
Example response
{
"success": false,
"error": "max_keys_exceeded",
"message": "Maximum of 10 API keys per account reached.",
"details": [],
"retry_after": null,
"doc_url": "https://docs.asterwise.com/reference/errors/max_keys_exceeded",
"request_id": "req_01HXYZABCDEFGH",
"timestamp": "2026-05-25T12:34:56Z"
}
- Sign in at asterwise.com/dashboard and open the API Keys page.
- Review the list — look for keys you don't recognize, keys from old projects, or keys created for one-off tests.
- Revoke at least one key, then retry creating the new one.
This is configuration territory, not application logic. Don't auto-revoke keys from code unless you own the entire account.
Python:
Production handler
- Python
- TypeScript
import httpx
class TooManyKeysError(Exception):
"""Account has 10 active keys. Revoke one before creating more."""
def create_api_key(name, base_url, headers):
response = httpx.post(
f"{base_url}/v1/keys",
headers=headers,
json={"name": name},
timeout=15,
)
if response.status_code == 409:
body = response.json()
if body.get("error") == "max_keys_exceeded":
raise TooManyKeysError(
"Account at 10-key limit. "
"Revoke unused keys at asterwise.com/dashboard before retrying."
)
response.raise_for_status()
return response.json()
class TooManyKeysError extends Error {}
async function createApiKey(name: string, baseUrl: string, headers: HeadersInit) {
const response = await fetch(`${baseUrl}/v1/keys`, {
method: "POST",
headers,
body: JSON.stringify({ name }),
});
if (response.status === 409) {
const body = await response.json();
if (body.error === "max_keys_exceeded") {
throw new TooManyKeysError(
"Account at 10-key limit. " +
"Revoke unused keys at asterwise.com/dashboard before retrying.",
);
}
}
if (!response.ok) throw new Error(`HTTP ${response.status}`);
return response.json();
}
Avoid this error by
- Name keys clearly when you create them.
production-web-2026-01is better thanKey 4. Future-you (or future-teammate) will know which ones are still needed. - For ephemeral integrations (CI, scripts, demos), use one stable key and rotate it on a schedule, not one key per run.
- Audit your key list quarterly. Revoke anything older than 90 days that you can't justify keeping.
- For multi-developer accounts, document which keys belong to which person or service in your team's shared notes.