What API keys can access
Organization API keys authenticate to platform APIs for the organization they were created in. The key inherits the creator’s organization role and access. That means a key created by an admin can access admin-level platform APIs, while a key created by a builder is limited to builder-level access. API keys can be sent as:?token= or ?api_key= query parameters. Prefer headers for new scripts.
API keys and the CLI
API keys have nothing to do with CLI access today. The CLI is authenticated and accessed at the user level, not with org-scoped API keys. When you runkeystroke auth login, you authenticate as a user. From there, the CLI can access every organization you belong to and switch between them. It is not scoped to a single organization the way an API key is.
So use API keys for scripts and external tools hitting the platform API, and use keystroke auth login for CLI work like keystroke deploy.
Create a key
Create API keys from the web app or the CLI.| Column | What it means |
|---|---|
| Name | The label you gave the key |
| Key preview | A non-secret preview for identifying the key |
| Created at | When the key was created |
| Created by | The member who created the key, when your role can see it |
Visibility and permissions
API key visibility depends on your organization role:| Role | What it can do |
|---|---|
| Owner | View all keys, create keys, and revoke any key |
| Admin | View all keys, create keys, and revoke any key |
| Builder | Create keys and view keys they created |
Revoke a key
Revoke a key when it is no longer needed, when a teammate leaves, or when you think the secret may have been exposed.Use keys in scripts
Store the key in an environment variable and pass it as a header:Next steps
Members
Understand the organization roles API keys inherit.
Organization
Manage organization-wide settings.
CLI reference
See the API key command reference.
Credentials
Store runtime credentials for agents and workflows.