Skip to main content
API keys control access to Guardian and provide fine-grained permission management. Capabilities can be scoped per area so that each key only has the permissions it needs.

Capabilities

API keys support scoped permissions per functional area, so each key holds only the permissions it needs. For the full list of scopes and the endpoints each one grants, see Authentication — Scopes.

Best practices

  • Use the principle of least privilege — only grant necessary capabilities.
  • Rotate API keys regularly for security.
  • Use different keys for different services or applications.