Skip to main content
Use API keys to engage with Endor Labs services programmatically and enable any automation or integration with other systems in your environment. You can manage API keys with endorctl or from the Endor Labs user interface.
Instead of using API keys, you can use keyless authentication to authenticate with Endor Labs services. See Keyless authentication for more information. Using keyless authentication eliminates the need to manage API keys and reduces the risk of API key compromise.
See API key management best practices for more information on how to manage API keys.

Create an API key

Create an API key to access Endor Labs services programmatically. You can create an API key either from the user interface or using the Endor Labs API. You can create API keys with an expiry of up to one year from the user interface. Use the API to create keys with longer expiry.

Create an API key through the Endor Labs user interface

  1. Select User menu > Settings from the left sidebar.
  2. Select Access Control > API Keys.
  3. Click Generate API Key.
  4. Enter a name to identify the API key.
  5. Select the roles to apply to the API Key. You can choose from the following options:
    • Admin
    • Read-only
    • Code Scanner
    • Policy Editor
    • On-Prem Scheduler
    • Package Firewall User
  6. Select the expiry of the API key. You can set the value as 30, 60, 90 days, or one year.
  7. When you create an API key, it applies to the current namespace and all its child namespaces. To prevent the policy from being applied to any child namespace, click Advanced and deselect Propagate this policy to all child namespaces.
Using these credentials, you can configure Endor Labs scans in your CI/CD pipeline, or set up the Endor Labs Visual Studio Code extension. Each session initiated by the API key is valid up to four hours. See scanning with endorctl and use Endor Labs extension in Visual Studio Code for details.

Create an API key through Endor Labs API

Run the following command to generate and API with the create API Key endpoint. 

endorctl api create -r APIKey --data '{
  "meta": {
    "name": "API Key name",
    "description": "API key description"
  },
  "spec": {
    "permissions": {
      "roles": ["SYSTEM_ROLE_ADMIN"]
    },
    "expiration_time": "2025-05-01T00:00:00Z"
  }
}
You can use the following values in spec.permissions.roles:
  • SYSTEM_ROLE_ADMIN
  • SYSTEM_ROLE_READ_ONLY
  • SYSTEM_ROLE_POLICY_EDITOR
  • SYSTEM_ROLE_CODE_SCANNER
  • SYSTEM_ROLE_PACKAGE_FIREWALL
See authorization roles for more information. You can provide a specific value for the expiration date of the token. You can also set an expiry of over one year if required. You cannot edit the expiry after you create the API key. If you want to change the expiry, create a new API key with the required expiry date. For example, you want to create an API key for a CI/CD pipeline that expires on March 31st 2026. Run the following command to create an API key with SYSTEM_ROLE_CODE_SCANNER role so that you can use it for endorctl access from a CI/CD pipeline. 

endorctl api create -r APIKey --data '{
  "meta": {
    "name": "CI/CD Access API key",
    "description": "API key for use within the CI/CD pipeline"
  },
  "spec": {
    "permissions": {
      "roles": ["SYSTEM_ROLE_CODE_SCANNER"]
    },
    "expiration_time": "2026-03-31T00:00:00Z"
  }
}'



{
  "meta": {
    "create_time": "2025-03-11T16:29:06.127975636Z",
    "created_by": "xxxxxx@endor.ai@google@api-key",
    "description": "API key for use within the CI/CD pipeline",
    "kind": "APIKey",
    "name": "CI/CD Access API key",
    "update_time": "2025-03-11T16:29:06.127975636Z",
    "updated_by": "xxxxxx@endor.ai@google@api-key",
    "version": "v1"
  },
  "spec": {
    "expiration_time": "2026-03-31T00:00:00Z",
    "issuing_user": {
      "meta": {
        "name": "xxxxxx@endor.ai@google@api-key"
      },
      "spec": {
        "email": "",
        "first_name": "",
        "last_login_time": "2025-03-11T16:29:06.114662511Z",
        "last_name": "",
        "user_name": ""
      }
    },
    "key": "endr+foo",
    "permissions": {
      "roles": [
        "SYSTEM_ROLE_CODE_SCANNER"
      ]
    },
    "secret": "endr+bar"
  },
  "tenant_meta": {
    "namespace": "demo"
  },
  "uuid": "67dx6x6x6f69xxx777a41cda"
}

Delete an API Key

Delete the API keys that are expired or no longer in use. You can delete API keys using the Endor Labs user interface or using the Endor Labs API.

Delete an API key through the Endor Labs user interface

  1. Select User menu > Settings from the left sidebar.
  2. Select Access Control > API Keys.
  3. Find the API key that you want to delete and click Delete.

Delete an API key through Endor Labs API

Run the following command to delete an API key with the delete API Key endpoint. 
endorctl api delete -r=APIKey --name=<API_Key_Name>
The command fails if there are multiple API keys with the same name. You can use the UUID to delete a specific API key. 
endorctl api delete -r=APIKey --uuid=<API_Key_UUID>