> ## Documentation Index
> Fetch the complete documentation index at: https://docs.endorlabs.com/llms.txt
> Use this file to discover all available pages before exploring further.
## Submitting Feedback
If you encounter incorrect, outdated, or confusing documentation on this page, submit feedback:
POST https://docs.endorlabs.com/feedback
```json
{
"path": "/platform-administration/api-keys/index",
"feedback": "Description of the issue"
}
```
Only submit feedback when you have something specific and actionable to report.
# Manage API keys
> Manage your Endor Labs API keys for automation.
Use API keys to engage with Endor Labs services programmatically and enable any automation or integration with other systems in your environment. You can manage API keys with endorctl or from the Endor Labs user interface.
Instead of using API keys, you can use keyless authentication to authenticate with Endor Labs services. See [Keyless authentication](/setup-deployment/ci-cd/keyless-authentication) for more information. Using keyless authentication eliminates the need to manage API keys and reduces the risk of API key compromise.
See [Best Practices: API key management](/best-practices/manage-api-keys) for more information on how to manage API keys.
## Create an API key
Create an API key to access Endor Labs services programmatically. You can create an API key through the Endor Labs user interface or using the Endor Labs API. You can create API keys with an expiry of up to one year from the Endor Labs user interface. You can use the API to generate API keys with longer expiry.
### Create an API key through the Endor Labs user interface
1. Select **Settings** > **Access Control** from the left sidebar.
2. Select **API Keys**.
3. Click **Generate API Key**.
4. Enter a name to identify the API key.
5. Select the [roles](/platform-administration/rbac/authorization-roles) to apply to the API Key.
You can choose from the following options:
* Admin
* Read-only
* Code Scanner
* Policy Editor
* On-Prem Scheduler
6. Select the expiry of the API key.
You can set the value as 30, 60, 90 days, or one year.
7. When you create an API key, it applies to the current namespace and all its child namespaces.
To prevent the policy from being applied to any child namespace, click **Advanced** and deselect **Propagate this policy to all child namespaces**.
Using these credentials, you can configure Endor Labs scans in your CI/CD pipeline, or set up the Endor Labs Visual Studio Code extension. Each session initiated by the API key is valid up to four hours. See [scanning with endorctl](/scan/sca) and [use Endor Labs extension in Visual Studio Code](/setup-deployment/ide) for details.
### Create an API key through Endor Labs API
Run the following command to generate and API with the [create API Key endpoint](/api-reference/apikeyservice/createapikey).
```shell theme={null}
endorctl api create -r APIKey --data '{
"meta": {
"name": "API Key name",
"description": "API key description"
},
"spec": {
"permissions": {
"roles": ["SYSTEM_ROLE_ADMIN"]
},
"expiration_time": "2025-05-01T00:00:00Z"
}
}
```
You can use the following values in `spec.permissions.roles`:
* `SYSTEM_ROLE_ADMIN`
* `SYSTEM_ROLE_READ_ONLY`
* `SYSTEM_ROLE_POLICY_EDITOR`
* `SYSTEM_ROLE_CODE_SCANNER`
See [authorization roles](/platform-administration/rbac/authorization-roles) for more information.
You can provide a specific value for the expiration date of the token. You can also set an expiry of over one year if required. You cannot edit the expiry after you create the API key. If you want to change the expiry, create a new API key with the required expiry date.
For example, you want to create an API key for a CI/CD pipeline that expires on March 31st 2026.
Run the following command to create an API key with `SYSTEM_ROLE_CODE_SCANNER` role so that you can use it for endorctl access from a CI/CD pipeline.
```shell theme={null}
endorctl api create -r APIKey --data '{
"meta": {
"name": "CI/CD Access API key",
"description": "API key for use within the CI/CD pipeline"
},
"spec": {
"permissions": {
"roles": ["SYSTEM_ROLE_CODE_SCANNER"]
},
"expiration_time": "2026-03-31T00:00:00Z"
}
}'
```
```shell expandable theme={null}
{
"meta": {
"create_time": "2025-03-11T16:29:06.127975636Z",
"created_by": "xxxxxx@endor.ai@google@api-key",
"description": "API key for use within the CI/CD pipeline",
"kind": "APIKey",
"name": "CI/CD Access API key",
"update_time": "2025-03-11T16:29:06.127975636Z",
"updated_by": "xxxxxx@endor.ai@google@api-key",
"version": "v1"
},
"spec": {
"expiration_time": "2026-03-31T00:00:00Z",
"issuing_user": {
"meta": {
"name": "xxxxxx@endor.ai@google@api-key"
},
"spec": {
"email": "",
"first_name": "",
"last_login_time": "2025-03-11T16:29:06.114662511Z",
"last_name": "",
"user_name": ""
}
},
"key": "endr+foo",
"permissions": {
"roles": [
"SYSTEM_ROLE_CODE_SCANNER"
]
},
"secret": "endr+bar"
},
"tenant_meta": {
"namespace": "demo"
},
"uuid": "67dx6x6x6f69xxx777a41cda"
}
```
## Delete an API Key
Delete the API keys that are expired or no longer in use. You can delete API keys using the Endor Labs user interface or using the Endor Labs API.
### Delete an API key through the Endor Labs user interface
1. Select **Settings** > **Access Control** from the left sidebar.
2. Select **API Keys**.
3. Find the API key that you want to delete and click **Delete**.
### Delete an API key through Endor Labs API
Run the following command to delete an API key with the [delete API Key endpoint](/api-reference/apikeyservice/deleteapikey).
```shell theme={null}
endorctl api delete -r=APIKey --name=
```
The command fails if there are multiple API keys with the same name. You can use the UUID to delete a specific API key.
```shell theme={null}
endorctl api delete -r=APIKey --uuid=
```