Skip to main content
API keys control access to Guardian and provide fine-grained permission management. Capabilities can be scoped per area so that each key only has the permissions it needs.

Capabilities

API keys support scoped permissions per functional area:
  • API Keys
    • admin:api-keys:create
    • admin:api-keys:read
    • admin:api-keys:update
    • admin:api-keys:delete
  • Webhooks
    • admin:webhooks:create
    • admin:webhooks:read
    • admin:webhooks:delete
  • Types
    • admin:types:create
    • admin:types:read
    • admin:types:delete
  • PCI Tokens
    • pci:tokens:create
    • pci:tokens:read
    • pci:tokens:update
    • pci:tokens:delete
    • pci:tokens:forward
  • Network Tokens
    • network:tokens:create
    • network:tokens:read
    • network:tokens:delete
    • network:tokens:use
  • Generic Tokens
    • generic:tokens:create
    • generic:tokens:read
    • generic:tokens:delete

Best practices

  • Use the principle of least privilege — only grant necessary capabilities.
  • Rotate API keys regularly for security.
  • Use different keys for different services or applications.