API Keys

Provide secure, self-service API key management to your customers.

Introduction

API keys provide a secure way for your application’s users to authenticate with your API. With the API Keys Widget, you can offer your customers self-service API key management with a simple component. The WorkOS API and SDKs provide functions for your API code to validate keys.

Configuring API keys

Before your users can manage API keys, you need to configure your WorkOS environment.

Setting up role permissions

To enable API key management for your users, ensure at least one role includes the widgets:api-keys:manage permission. This permission allows users to access the API Keys Widget and manage keys within their organization.

You can assign permissions to roles in the WorkOS Dashboard under Roles & Permissions.

Configuring available permissions

You can control which permissions your users can assign to API keys by configuring API key permissions in your environment.

For example, you might create permissions like:

posts:read – Read access to posts
posts:write – Write access to posts
users:read – Read access to user data

By configuring only posts:read and posts:write as available API key permissions, your users can create API keys with granular access controls, such as read-only keys that only have the posts:read permission.

You can configure API key permissions in the WorkOS Dashboard on the Roles & Permissions page under Organization API Key Permissions.

API key management in your application

The easiest way to enable API key management for your users is through the API Keys Widget. This widget provides a complete interface for creating, viewing, and revoking API keys.

The widget allows your users to:

Create new API keys with custom names
Select specific permissions for each key
View existing API keys (with obfuscated values for security)
Revoke API keys when they’re no longer needed

The widget interacts with the WorkOS API and renders the user interface in your app, so your customers get full control over their API keys in just a few lines of code.

Validating API keys

Once your users have created API keys through the widget, your application needs to validate these keys when they’re used to authenticate API requests. When an API request includes an API key (typically in the Authorization header), your application should validate it with WorkOS to ensure it’s legitimate and retrieve the associated permissions.

The validate API key endpoint returns the complete API key object, including:

The organization that owns the key
The permissions assigned to the key
Usage metadata like creation and last-used timestamps

This information allows your application to not only authenticate the request but also authorize it based on the specific permissions granted to that API key.

JavaScript

 import { NextResponse } from 'next/server';
import { validateApiKey } from '@workos-inc/authkit-nextjs';

export async function GET() {
  const { apiKey } = await validateApiKey();

  if (!apiKey) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
  }

  return NextResponse.json({ success: true });
}

Viewing organization API keys in the WorkOS Dashboard

You can view and revoke your customers’ API keys through the WorkOS Dashboard:

Navigate to the Organizations section in your WorkOS Dashboard
Click on the organization you want to view
Select the API Keys tab

From this view, you can see all API keys created by the organization, including their names, permissions, creation dates, and last usage information. This provides valuable visibility into how your customers are using API keys.

Custom EmailsLearn how to send your own emails for user lifecycle events

Up next