Overview
API Keys provide machine-to-machine authentication for the Enterprise API. They are ideal for automated systems, integrations, and services that need to interact with the API programmatically.
Key Concepts
API Key Creation
API Keys can only be created by users with appropriate permissions (Super Admin or users with the create-apikey permission).
Initial State
By default, new API Keys do not have any roles assigned, which means they cannot perform any operations. They must be assigned roles to gain access to specific operations within organizations, tenants, or services.
Expiration
API Keys can optionally have an expiration time:
- If no expiration is set, the key remains valid indefinitely
- Expired keys are automatically rejected by the API
API Key vs Account
| Feature | API Key | Account |
|---|---|---|
| Authentication | Bearer token | Email + password |
| Use case | Machine-to-machine | Human users |
| Session management | Stateless | Yes (with session tokens) |
| Creation | Admin only | Admin or self-registration |
| Expiration | Optional TTL | No (unless manually disabled) |
Security Best Practices
| Practice | Description |
|---|---|
| Set Expiration | Always set an expiration time for production API keys |
| Regular Rotation | Establish a rotation schedule (e.g., every 90 days) |
| Least Privilege | Assign only the permissions necessary for the key's purpose |
| Secure Storage | Store API keys securely; never commit them to version control |
| Monitor Usage | Review API key usage in audit logs regularly |
| Immediate Revocation | Delete compromised keys immediately |
Get Started
- Create API Key - How to create a new API key
- Assign Role - How to assign roles to an API key
Last updated on May 7, 2026