API Keys

API keys provide a secure way for your application’s users to authenticate with your API. With the API Keys Widget, your customers can create and revoke organization-scoped and user-scoped API keys with a simple component. The WorkOS API and SDKs provide functions for your API code to validate keys.

API keys are one of two ways WorkOS enables you to issue credentials to your customers that they use to programmatically access your application. The other is M2M applications. The API Keys vs M2M Applications guide can help you decide which is best for your use case.

Before your users can manage API keys, you need to configure your WorkOS environment.

To enable organization-scoped API key management for your users, ensure at least one role includes the widgets:api-keys:manage permission. To enable user-scoped API key management, use widgets:user-api-keys:manage-self for a user’s own API keys or widgets:user-api-keys:manage-all for API keys across the organization.

You can assign permissions to roles in the WorkOS Dashboard under Authorization.

You can control which permissions your users can assign to API keys by configuring API key permissions in your environment.

For example, you might create permissions like:

• posts:read – Read access to posts
• posts:write – Write access to posts
• users:read – Read access to user data

By configuring only posts:read and posts:write as available API key permissions, your users can create API keys with granular access controls, such as read-only keys that only have the posts:read permission.

You can configure API key permissions in the WorkOS Dashboard under Authorization > Configuration > Organization API key permissions. User-scoped API keys can only use permissions that are enabled for user API keys.

The easiest way to enable API key management for your users is through the API Keys Widget. This widget provides a complete interface for creating, viewing, and revoking API keys.

Use the default scope="organization" mode when users should manage API keys owned by their organization. Use scope="user" when users should manage API keys owned by individual users.

The widget allows your users to:

• Create new API keys with custom names
• Select specific permissions for each key
• View existing API keys (with obfuscated values for security)
• Revoke API keys when they’re no longer needed

The widget interacts with the WorkOS API and renders the user interface in your app, so your customers get full control over their API keys in just a few lines of code.

You can also manage API keys programmatically using the WorkOS API. This is useful for building custom API key management interfaces or automating key lifecycle operations.

• List API keys for an organization
• Create an API key for an organization
• List API keys for a user
• Create an API key for a user
• Delete an API key

The full API key value is only returned in the create response. Store it securely when the key is created; subsequent list, validate, and object responses only include an obfuscated value.

API key ownership is available on the owner field. Organization-owned keys have owner.type: "organization" and an organization ID in owner.id. User-owned keys have owner.type: "user", a user ID in owner.id, and the organization the key can access in owner.organization_id.

User-owned API keys are tied to the user’s organization membership. If that membership is deleted, any user-owned API keys for that membership are revoked.

Once API keys have been created, your application needs to validate these keys when they’re used to authenticate API requests. When an API request includes an API key (typically in the Authorization header), your application should validate it with WorkOS to ensure it’s legitimate and retrieve the associated permissions.

The validate API key endpoint returns the complete API key object, including:

• The organization or user that owns the key
• The permissions assigned to the key
• Usage metadata like creation and last-used timestamps

This information allows your application to not only authenticate the request but also authorize it based on the specific permissions granted to that API key.

import { NextResponse } from 'next/server';
import { validateApiKey } from '@workos-inc/authkit-nextjs';

export async function GET() {
  const { apiKey } = await validateApiKey();

  if (!apiKey) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
  }

  return NextResponse.json({ success: true });
}

You can view your customers’ API keys through the WorkOS Dashboard or via the API.

To view organization-owned API keys:

1. Navigate to the Organizations section in your WorkOS Dashboard
2. Click on the organization you want to view
3. Select the API Keys tab

To view user-owned API keys:

1. Navigate to the Users section in your WorkOS Dashboard
2. Click on the user you want to view
3. Select the API keys tab

From these views, you can see API key details including names, obfuscated key values, creation dates, and last usage information. User-owned API keys also show the organization each key can access.

You can also list organization-owned API keys and list user-owned API keys via the API.

API key lifecycle changes are tracked via the api_key.created and api_key.revoked events. You can view these events in the events page or listen for them in your application via the events API.