---
title: API Keys
description: 'Provide secure, self-service API key management to your customers.'
showNextPage: true
originalPath: .tmp-workos-clone/packages/docs/content/authkit/api-keys.mdx
---

## Introduction

API keys provide a secure way for your application's users to authenticate with your API. With the [API Keys Widget](/widgets/api-keys), your customers can create and revoke [organization](/authkit/users-organizations/organizations)-scoped API keys with a simple component. The WorkOS API and SDKs provide functions for your API code to validate keys.

API keys are one of two ways WorkOS enables you to issue credentials to your customers that they use to programmatically access your application. The other is [M2M applications](/authkit/connect/m2m). The [API Keys vs M2M Applications guide](https://workos.com/blog/api-keys-vs-m2m-applications) can help you decide which is best for your use case.

## Configuring API keys

Before your users can manage API keys, you need to configure your WorkOS environment.

### Setting up role permissions

To enable API key management for your users, ensure at least one role includes the `widgets:api-keys:manage` permission. This permission allows users to access the [API Keys Widget](/widgets/api-keys) and manage keys within their organization.

You can [assign permissions to roles](/authkit/roles-and-permissions/configure-roles-and-permissions/assign-permissions-to-roles) in the WorkOS Dashboard under _Authorization_.

### Configuring available permissions

You can control which permissions your users can assign to API keys by configuring API key permissions in your environment.

For example, you might create permissions like:

- `posts:read` - Read access to posts
- `posts:write` - Write access to posts
- `users:read` - Read access to user data

By configuring only `posts:read` and `posts:write` as available API key permissions, your users can create API keys with granular access controls, such as read-only keys that only have the `posts:read` permission.

You can configure API key permissions in the WorkOS Dashboard under _Authorization > Configuration > Organization API key permissions_.

## API key management in your application

### Using the API Keys Widget

The easiest way to enable API key management for your users is through the [API Keys Widget](/widgets/api-keys). This widget provides a complete interface for creating, viewing, and revoking API keys.

The widget allows your users to:

- Create new API keys with custom names
- Select specific permissions for each key
- View existing API keys (with obfuscated values for security)
- Revoke API keys when they're no longer needed

The widget interacts with the WorkOS API and renders the user interface in your app, so your customers get full control over their API keys in just a few lines of code.

### Managing API keys via the API

You can also manage API keys programmatically using the WorkOS API. This is useful for building custom API key management interfaces or automating key lifecycle operations.

- [Create an API key](/reference/authkit/api-keys/create-for-organization) for an organization
- [List API keys](/reference/authkit/api-keys/list-for-organization) for an organization
- [Delete an API key](/reference/authkit/api-keys/delete)

## Validating API keys

Once API keys have been created, your application needs to validate these keys when they're used to authenticate API requests. When an API request includes an API key (typically in the `Authorization` header), your application should validate it with WorkOS to ensure it's legitimate and retrieve the associated permissions.

The [validate API key endpoint](/reference/authkit/api-keys/validate) returns the complete [API key object](/reference/authkit/api-keys), including:

- The organization that owns the key
- The permissions assigned to the key
- Usage metadata like creation and last-used timestamps

This information allows your application to not only authenticate the request but also authorize it based on the specific permissions granted to that API key.

<CodeBlock>
  <CodeBlockTab file="api-keys-validate-nextjs" title="Next.js" language="js" />
  <CodeBlockTab
    file="api-keys-validate-express"
    title="Express"
    language="js"
  />
  <CodeBlockTab
    file="api-keys-validate-flask"
    title="Flask"
    language="python"
  />
</CodeBlock>

## Viewing organization API keys in the WorkOS Dashboard

You can view and revoke your customers' API keys through the WorkOS Dashboard or [via the API](/reference/authkit/api-keys):

1. Navigate to the **Organizations** section in your WorkOS Dashboard
2. Click on the organization you want to view
3. Select the **API Keys** tab

From this view, you can see all API keys created by the organization, including their names, permissions, creation dates, and last usage information. This provides valuable visibility into how your customers are using API keys.

## Auditing API key usage

API key lifecycle changes are tracked via the [`api_key.created`](/events/api-key) and [`api_key.revoked`](/events/api-key) events. You can view these events in the [events page](https://dashboard.workos.com/environment/events) or listen for them in your application via the [events API](/events).