API key creation
Create keys in API keys under organization settings.Choose principal
Decide whether the key acts as you (inherits your RBAC) or as a service principal with explicit scopes.
Set scopes
Enable only what the integration needs: read pipelines, trigger runs, manage connections, or admin operations.
Header format
Send the key in theAuthorization header using the Bearer scheme:
Scopes
Scopes limit blast radius when a key leaks. Examples (names illustrative—match your OpenAPIsecurity definitions):
| Scope | Allows |
|---|---|
pipelines:read | List and fetch pipeline definitions and metadata |
pipelines:run | Start and cancel runs |
connections:read | View connection metadata (not secret values) |
connections:write | Create and rotate connections |
admin:organization | Manage users, SSO, billing interfaces |
User keys vs service keys
- User API keys
- Service API keys
Bound to your account; permissions match your team memberships until an admin removes you. Good for personal scripts; avoid for production automation tied to a person.
Failed authentication
| Status | Meaning |
|---|---|
| 401 Unauthorized | Missing header, malformed token, or revoked key |
| 403 Forbidden | Valid key but insufficient scope or resource policy |
code and human-readable message. Do not log full keys in application logs when debugging 401s.
IP and session policies
If your workspace enables Session policy IP allowlists, API calls from disallowed networks fail with 403 even when the key is valid. Add automation egress ranges explicitly.Related topics
API reference
Base URL, rate limits, and JSON envelopes.
Teams and permissions
How human roles relate to API access for user-bound keys.