API keys
Create, scope, and revoke the keys that authenticate API requests.
The API Keys page manages the keys your organization uses to call the API. From here you create and revoke keys, scope them, set expiration and allowed IPs, and view per-key and org-wide usage. A key's secret is shown once, at creation, and never again.
This page covers configuring keys in the console. For how a key authenticates a request, and how scopes work, see Authenticating with API keys and Resource filters.
The page appears only after your organization is bootstrapped for API keys: a one-time setup that provisions the key-signing infrastructure.
Creating a key
| Field | Type | Required | Notes |
|---|---|---|---|
| Name | string | Yes | Label for the key |
| Expires at | date-time | No | Leave blank for no expiry |
| Scopes | list | Yes | One or more action + resource filter pairs |
| Allowed IP CIDRs | list | No | Defaults to allow-all (0.0.0.0/0 and ::/0) |
Scopes
Each scope is an action plus a resource filter.
| Action | Meaning |
|---|---|
read | Read access |
write | Create, update, delete |
admin | Administrative actions |
* | Any action |
The resource filter limits which resources the action applies to. Clear it to mean all
resources (*). See Resource filters for the path syntax.
Allowed IPs
Restrict a key to specific networks with CIDR ranges. IPv4 and IPv6 rules are matched
independently. A wildcard range (0.0.0.0/0 or ::/0) accepts all addresses of that
version, which the form flags with a warning.
States
Key status
| Status | Meaning |
|---|---|
Active | Usable |
Expired | Past its expiration |
Revoked | Permanently disabled |
Filter the list by status (default: Active), and search by name.
One-time secret
After you create a key, its secret value is shown once. You must acknowledge that you've copied it before continuing. The secret is never retrievable again. If you lose it, revoke the key and create a new one.
Editing and revoking
- Editing scopes or allowed IPs can immediately break calls made with that key. The form warns before you save.
- Revoking a key is permanent. To remove a key, revoke it.
API
Key management endpoints are coming soon to the v2 API. For now, create, scope, and revoke keys in the console. The created secret is shown once, at creation.