API Keys
API keys give you a secure way to authenticate administrative API requests and enable dynamic OAuth client registration from your applications. Unlike user access tokens, API keys are long-lived credentials scoped to your tenant.
What API Keys Are Used For
| Purpose | Description |
|---|---|
| Admin API access | Authenticate calls to the tenant admin API (/t/{tenantSlug}/api/v1/admin/*) |
| Dynamic client registration | Allow your application to register OAuth clients programmatically (RFC 7591) |
| Server-to-server automation | Provision users, manage roles, sync data from a backend service |
Managing API Keys
Go to /t/{tenantSlug}/portal/settings/api-keys to manage all API keys for your tenant.
Creating an API Key
- Click Create API Key
- Enter a descriptive name (e.g., "CI/CD pipeline" or "Backend provisioning")
- Click Create
- Copy the key immediately — it is only shown once and cannot be retrieved again
Store your key securely
LumoAuth stores only a hashed version of the key. If you lose it, you must rotate it to get a new one.
Key Lifecycle
| Action | Description |
|---|---|
| Create | Generates a new key; shown in full only at creation |
| Rotate | Generates a replacement key and immediately invalidates the old one |
| Revoke | Permanently disables the key |
| Delete | Removes the key record from the portal |
Using an API Key
Include the key as a Bearer token in the Authorization header:
curl https://your-domain.com/t/{tenantSlug}/api/v1/admin/users \
-H "Authorization: Bearer {your-api-key}"
Alternatively, some endpoints accept the key in an X-API-Key header:
curl https://your-domain.com/t/{tenantSlug}/api/v1/admin/users \
-H "X-API-Key: {your-api-key}"
Rotating an API Key
When you suspect a key has been compromised, or as part of regular key rotation practice:
- Go to
/t/{tenantSlug}/portal/settings/api-keys - Find the key and click Rotate
- Copy the new key — it is shown only once
- Update your applications to use the new key
- The old key is invalidated immediately upon rotation
Best Practices
- Use one key per service — name keys after the service that uses them so you can revoke individual services without affecting others
- Rotate keys periodically — treat API keys like passwords and rotate them on a schedule
- Never expose keys in client-side code — API keys have admin-level access; only use them in server-side code
- Monitor key usage — suspicious API calls appear in Audit Logs
Related
- OAuth 2.0 & OIDC Applications — manage OAuth clients
- Audit Logs — monitor API key usage
- Dynamic Client Registration — register OAuth clients via API