API Keys
Manage API keys scoped to this specific project
The API Keys page is where you create and manage keys scoped to this project. Project-scoped keys can only access resources in this project; for tenant-wide keys, use the org-level analogue.
For background on authentication, see Authentication.
What's on the page
A table of existing keys for this project:
| Column | Notes |
|---|---|
| Name | Your descriptive label |
| Key prefix | First 16 characters of the key (e.g. ss_secret_abc123...) |
| Created | Timestamp |
| Last Used | When the key was last seen on a request |
| Status | Active / Revoked |
| Actions | Revoke (active keys only) |
Revoked keys are kept in the table for the audit trail but they don't work anymore.
Creating a new key
Click Create key. A modal asks for:
| Field | Notes |
|---|---|
| Name | For your reference (e.g. production-ingest) |
| Permissions | Multi-select from analysis:create, analysis:read, config:read, config:write |
After creation, the full key value is shown once with a "Dismiss" button. Copy it immediately — there's no way to retrieve it again.
Store API keys in a secret manager. Don't commit them to git, paste into chat, or send via email.
Revoking
Click Revoke on any active key. After confirmation, the key stops working immediately. There's no soft-delete — once revoked, that's permanent.
Required role
| Action | Required permission |
|---|---|
| View list | config:read |
| Create key | config:write |
| Revoke | config:write |
Best practices
- Rotate periodically — every 90 days is a reasonable cadence
- Use a new key per integration — easier to identify and revoke one without breaking others
- Grant minimum permissions — server-to-server analysis ingestion
doesn't need
config:write - Track
lastUsedAt— keys that haven't been used in months are prime candidates for revocation