> ## Documentation Index
> Fetch the complete documentation index at: https://docs.cysmiq.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage API keys

> Create and manage personal or workspace API keys for automation and integrations.

## Overview

API keys provide programmatic access for CI pipelines, integrations, and tooling. Cysmiq supports two types of keys:

* **Personal API keys**: Scoped to your user account. Can be restricted to specific workspaces.
* **Workspace API keys**: Scoped to a workspace (tenant). Managed by workspace admins for shared integrations.

## Create an API key

<Steps>
  <Step title="Open settings">
    <Tabs>
      <Tab title="Personal key">
        Open the **Workspaces** page, select **Security**, then scroll to **API keys**.

        <Info>
          Use `https://app.cysmiq.com/workspaces` for Cysmiq Cloud. For self-hosted, use your Cysmiq app URL.
        </Info>

        <Frame caption="Personal API keys are managed in your account security settings.">
          <img src="https://mintcdn.com/cysmiq/b1Lbo3Hes6--JS1V/images/guides/api-keys/api-keys-01-form.webp?fit=max&auto=format&n=b1Lbo3Hes6--JS1V&q=85&s=063e2dfaee40891b6511d30d0e2b19ec" alt="API keys section showing the form to create a personal API key." width="1660" height="1672" data-path="images/guides/api-keys/api-keys-01-form.webp" />
        </Frame>
      </Tab>

      <Tab title="Workspace key">
        <Note>Admin access to the workspace is required</Note>

        From the workspace sidebar, select **Settings**, then **Security** under Administration.

        <Frame caption="Workspace API keys are managed in workspace security settings.">
          <img src="https://mintcdn.com/cysmiq/b1Lbo3Hes6--JS1V/images/guides/api-keys/api-keys-05-workspace-form.webp?fit=max&auto=format&n=b1Lbo3Hes6--JS1V&q=85&s=50aa31f57ba468a30fee3b84458d981f" alt="Workspace security settings showing the API keys section." width="1400" height="1654" data-path="images/guides/api-keys/api-keys-05-workspace-form.webp" />
        </Frame>
      </Tab>
    </Tabs>
  </Step>

  <Step title="Configure the key">
    Enter a descriptive **Token name** to identify the key's purpose, such as "CI read-only" or "GitHub Actions".

    Select the **Scopes** for the key. For a CI read-only key, keep read scopes enabled and leave write scopes disabled. Available read scopes include:

    * **Read vulnerabilities** (`vulnerabilities:read`): Access vulnerability lists and summary data
    * **Read policy violations** (`policy-violations:read`): Access policy violation lists and details
    * **Read scans** (`scans:read`): Access scan lists and status
    * **Read organizations** (`organizations:read`): Access organization lists and details
    * **Read repositories** (`repositories:read`): Access repository lists and details

    Choose an **Expires** value. Shorter expirations are more secure but require more frequent rotation.

    <Tabs>
      <Tab title="Personal key">
        Optionally restrict the key to specific workspaces using **Restrict to workspaces**. If no workspaces are selected, the key works across all workspaces you have access to.

        <Frame caption="Fill in the token name and choose expiration. Workspace restrictions are optional.">
          <img src="https://mintcdn.com/cysmiq/b1Lbo3Hes6--JS1V/images/guides/api-keys/api-keys-02-form-filled.webp?fit=max&auto=format&n=b1Lbo3Hes6--JS1V&q=85&s=8950a7aa7cffc7223d2b5bd0f8271bfd" alt="API key form filled with token name CI read-only and 30 day expiration." width="1660" height="1672" data-path="images/guides/api-keys/api-keys-02-form-filled.webp" />
        </Frame>
      </Tab>

      <Tab title="Workspace key">
        Workspace keys are automatically scoped to the current workspace.
      </Tab>
    </Tabs>
  </Step>

  <Step title="Create and copy the key">
    Select **Create API key**. The key value is displayed once and cannot be retrieved later.

    <Frame caption="Copy the key immediately. It will not be shown again.">
      <img src="https://mintcdn.com/cysmiq/b1Lbo3Hes6--JS1V/images/guides/api-keys/api-keys-03-key-created.webp?fit=max&auto=format&n=b1Lbo3Hes6--JS1V&q=85&s=c41251b30995cbebebf4c32022425764" alt="New API key created dialog showing the key value with a copy button and warning to store it securely." width="1660" height="2200" data-path="images/guides/api-keys/api-keys-03-key-created.webp" />
    </Frame>

    Select **Copy** to copy the key to your clipboard, then store it securely in a secrets manager or environment variable.
  </Step>
</Steps>

## Verify an API key

Use the `whoami` endpoint to confirm your key and tenant context.

<Steps>
  <Step title="Find your tenant slug">
    Open the **Workspaces** page. The tenant slug is the short identifier used in API URLs. It appears under each workspace name, such as `e55cdd66`.

    <Frame caption="The tenant slug appears under the workspace name.">
      <img src="https://mintcdn.com/cysmiq/b1Lbo3Hes6--JS1V/images/guides/api-keys/api-keys-workspaces-slug.webp?fit=max&auto=format&n=b1Lbo3Hes6--JS1V&q=85&s=4573b75d6a9e8d1c485f3c74f521e67a" alt="Workspaces list showing the tenant slug under a workspace name." width="1440" height="1080" data-path="images/guides/api-keys/api-keys-workspaces-slug.webp" />
    </Frame>
  </Step>

  <Step title="Send a whoami request">
    Replace `<tenant-slug>` with the value from the previous step.

    <Info>
      For self-hosted deployments, replace `https://app.cysmiq.com` with your Cysmiq app URL.
    </Info>

    <CodeGroup>
      ```bash Example request theme={null}
      curl -H "Accept: application/json" \
        -H "Authorization: Bearer cys_tt_example1234567890" \
        https://app.cysmiq.com/api/v1/<tenant-slug>/whoami
      ```

      ```json Success response theme={null}
      {
        "actor": {
          "id": "usr_01hxyzexample",
          "name": "Maya Chen",
          "email": "maya.chen@northstarretail.com",
          "type": "user"
        },
        "tenant": {
          "id": "t_01hxyztnt",
          "slug": "e55cdd66",
          "workspace": "Northstar Retail"
        },
        "token": {
          "id": "12345",
          "name": "CI read-only",
          "scopes": ["vulnerabilities:read"],
          "expires_at": null
        }
      }
      ```
    </CodeGroup>
  </Step>
</Steps>

## View and revoke keys

Created keys appear in a list below the creation form. Each key shows:

* **Name** and **Status** (Active, Expired, or Disabled)
* **Created** date and **Last used** timestamp
* **Expires** date
* **Scopes** assigned to the key

<Frame caption="Keys are listed with status, usage details, and a revoke option.">
  <img src="https://mintcdn.com/cysmiq/b1Lbo3Hes6--JS1V/images/guides/api-keys/api-keys-04-key-list.webp?fit=max&auto=format&n=b1Lbo3Hes6--JS1V&q=85&s=19aac8879d07ab4b1ade4d3a8512cd3c" alt="API key list showing a CI read-only key with Active status and details." width="1660" height="1886" data-path="images/guides/api-keys/api-keys-04-key-list.webp" />
</Frame>

To revoke a key, select **Revoke** and confirm. Revoked keys are permanently disabled and cannot be restored.

## Related docs

* [API keys](/security-access/api-keys): Key types, scopes, and lifecycle details
* [API reference](/api-reference): Using API keys for authentication
