Managing Organization Keys

From the Settings → Secrets & Keys tab, you can view the Account ID, Agent Access Key, and manage Organization API keys.

Organization API keys differ from global API keys in scope:

  • Organization API keys: Provide access only within a single organization. They are managed at the organization level and are useful when access should remain limited to one organization.
  • Global API keys: Provide access across all organizations in an account. They are managed at the global level and are useful for automation or integrations that need to span multiple organizations.
Prerequisites:
You must meet the following requirements before you can create or manage organization API keys:
  • You are a Full Administrator or have a custom role with Organization: Read and Manage permissions.
  • You have Personal API Key: Manage permission to create and manage your own keys.

Keep API Keys Secure!

API keys should be kept secure and not shared to prevent unforeseen changes or potential security issues. Never email or write down your API key.

API Keys and Permissions

API keys inherit the same permissions that the user has. For example, an API key belonging to a Full Administrator has the same permissions as in the console, and allows them to perform functions using the API that require Full Administrator permissions.


Viewing Keys

Go to Settings → Secrets & Keys to access the Secrets Management page. The following information is available on this page:

  • Account ID: The UUID for the account. The account name is listed with this ID.
  • Agent Access Key: Used to add devices to your Automox account.
  • Organization API Keys: The list of all API keys created for the current organization. This section appears further down the Secrets Management page. If multiple secrets are listed above it, you may need to scroll to see the Add button. How you view or interact with these keys depends on your permissions. See Organization API Key Permissions and Actions for details.

The organization API key is used to access the Automox API.

Note: Organization API keys are not automatically generated for new users or new organizations. See Adding Organization API Keys.

When you use API keys, follow best practices such as:
  • Do not embed API keys directly in code.
  • Do not store API keys in files inside your application’s source tree.

Organization API Key Permissions and Actions

Organization API keys inherit the creator’s role-based permissions for this organization only. They never grant access to other organizations, even if the user has roles elsewhere.

What you can do with organization API keys depends on your assigned role and permissions.

The following interactions are available from the Organization API Keys table, subject to your permissions:

  • To view (decrypt) an API key, click the Show button to the right of the hidden characters. The key automatically hides again after 10 seconds.
  • To copy an API key, click the Copy button (clipboard). The key is automatically decrypted when copied.

Listing Organization API Keys

You can list or view organization API keys if you have the correct permissions.

  • To list all organization API keys, you must have All API Keys: Read permission.
  • To view (decrypt) your own API key, you must have Personal API Key: Manage permission.

Adding Organization API Keys

You can create up to 10 organization API keys per user account.

  • To add an organization API key for yourself, you must have Personal API Key: Manage permission.

Steps to add an organization API key:

  1. Select Add.
  2. Enter a unique name for the key.
  3. (Optional) Select an expiration date.
  4. Select Create.

Enabling and Disabling Organization API Keys

You can enable or disable organization API keys if you have the correct permissions.

  • To enable or disable API keys for any listed user, you must have All API Keys: Modify permission.
  • To enable or disable your own API key, you must have Personal API Key: Manage permission.
Note: When an API key is disabled, the key is rejected and returns an error. Disabled keys can be re-enabled.

Deleting Organization API Keys

You can permanently delete organization API keys.

  • To delete API keys for any listed user, you must have All API Keys: Delete permission.
  • To delete your own API keys, you must have Personal API Key: Manage permission.
Note: When an API key is deleted, all API requests using that key are rejected and return an error.

Example Scenarios

This table provides examples of what actions are available in the Organization API Keys table based on user role and assigned permissions.

Scenario Permission Decrypt Enable/Disable Delete
User on their own key Personal API Key: Manage Yes Yes Yes
Admin on another user’s key (Modify only) All API Keys: Modify No Yes No
Admin on another user’s key (Delete only) All API Keys: Delete No No Yes
Admin on another user’s key (Modify and Delete) All API Keys: Modify and All API Keys: Delete No Yes Yes
Note: Decrypt is always limited to the key owner. Administrators cannot decrypt another user’s key, even with All API Keys permissions.

Related Topics