Hi Martin, thanks for the reply.
I found "The Access Control section is the primary way to limit access to your APIs if you are running multiple Definitions. In other words, if there is nothing set in the access_rights section, then the user is granted access to all APIs defined on the system.", but, when I send the request for create a key, I got the response:
"error": "Failed to create key, keys must have at least one Access Rights record set.",