Create API keys
Create and rotate scoped delivery, preview, or agent credentials.
API keys are Organization-owned service principals. Create one credential for one consumer and copy its secret once.
Create a key
- Open Settings → API keys and select New key.
- Enter a name and choose Delivery Published, Delivery Preview, or Agent.
- For an Agent key, select only the required permissions and explicit All or Selected resource scopes. Its Backend is fixed to the current Backend.
- Choose Never, 7 days, 30 days, or 90 days, create the key, and immediately store the displayed secret.
The page requires backend.read. Listing keys uses apiKey.read; creating, changing policy, and revoking use apiKey.create, apiKey.update, and apiKey.delete respectively.
Delivery keys receive only delivery.readPublished or delivery.readPreview and are scoped to the Backend. They do not use Data Type, Locale, or Vocabulary scopes. Agent keys can receive only backend.read, model.read, content.read, content.create, content.update, content.publish, content.unpublish, vocabulary.read, term.read, release.read, release.create, release.update, or release.schedule.
Rotate a key
Create a replacement, deploy and test it, then revoke the old key. Delivery and Agent configurations are not interchangeable, and the secret cannot be displayed again.