Creating an API key
API keys can have account-level permissions, team-scoped permissions, or a combination of both. This means teams can manage their own config via the API without risking changes to other teams’ resources. When you create a new API key, you choose which permissions it has. You can only grant permissions that you yourself have. If you only have team-level permissions, you’ll only be able to create keys with team-scoped permissions.Account-level permissions
Account-level permissions apply across your entire organization. These are the same permissions available when creating custom roles, such as creating incidents, managing workflows, or reading catalog data.Team-scoped permissions
Team-scoped permissions restrict what a key can do to resources owned by specific teams.Editing an API key
Existing API keys can be edited after creation. You can update the key’s name, add or remove account-level permissions, and add or remove team-scoped permissions. To edit a key, you need the same permissions required to manage it — see Permissions required below.Permissions required
To manage API keys, you need one of:- The account-level Manage API keys permission (via a base or custom role)
- The team-scoped Manage API keys permission (via a team role)
Can an API key be scoped to multiple teams?
Can an API key be scoped to multiple teams?
Yes. A key can be associated with multiple teams, but it will have the same set of team-scoped permissions across
all of them.
Can a key have both global and team-scoped permissions?
Can a key have both global and team-scoped permissions?
Yes. A single key can have account-level permissions (e.g., read catalog data) alongside team-scoped permissions
(e.g., manage schedules for a specific team).