API keys provide a secure way for your application’s users to authenticate with your API. Organization admins create API keys through the API Keys Widget, and your application can validate these keys to authenticate API requests.
Read more about API keys in AuthKit.
{ "object": "api_key", "id": "api_key_01E4ZCR3C56J083X43JQXF3JK5", "owner": { "type": "organization", "id": "org_01EHWNCE74X7JSDV0X3SZ3KJNY" }, "name": "Production API Key", "obfuscated_value": "sk_...3456", "permissions": ["posts:read", "posts:write"], "created_at": "2021-06-25T19:07:33.155Z", "updated_at": "2021-06-25T19:07:33.155Z", "last_used_at": "2021-06-25T19:07:33.155Z" }
Get a list of all API keys for the provided organization.
curl --request GET \ --url "https://api.workos.com/organizations/org_01EHWNCE74X7JSDV0X3SZ3KJNY/api_keys" \ --header "Authorization: Bearer sk_example_123456789"
GET/organizationsParameters Returns objectCreates a new API key for the specified organization. The response includes the full API key value, which is only returned once at creation time. Make sure to store this value securely as it cannot be retrieved again.
You can optionally specify permissions to control what actions the API key can perform. If no permissions are provided, the key will have no specific permissions assigned.
curl --request POST \ --url "https://api.workos.com/organizations/org_01EHWNCE74X7JSDV0X3SZ3KJNY/api_keys" \ --header "Authorization: Bearer sk_example_123456789" \ --header "Content-Type: application/json" \ -d @- <<BODY { "name": "Production API Key", "permissions": ["posts:read", "posts:write"] } BODY
Permanently deletes an API key. This action cannot be undone. Once deleted, any requests using this API key will fail authentication.
curl --request DELETE \ --url "https://api.workos.com/api_keys/api_key_01E4ZCR3C56J083X43JQXF3JK5" \ --header "Authorization: Bearer sk_example_123456789"
DELETE/api_keysParameters Validates an API key and returns its associated metadata if the key is valid. Your application’s API uses this endpoint to authenticate incoming requests that include an API key.
The endpoint returns the complete API key object when validation succeeds, allowing you to access the key’s permissions and owner information for authorization purposes. If the key is invalid, the endpoint returns null for the api_key field.
import { WorkOS } from '@workos-inc/node'; const workos = new WorkOS('sk_example_123456789'); const result = await workos.apiKeys.validateApiKey({ value: 'sk_abcdefghijklmnop123456', });