Create an API key
Manage your APIs
API keys overview
Kinde provides a comprehensive API key management system that allows you to issue and manage API keys for your own APIs.
This system supports both organization-level and user-level key management, making it suitable for B2B, B2C, and B2B2C business models.
What are API keys?
Link to this sectionAPI keys are long-lived credentials that allow end users to authenticate with your APIs.
They provide a simple way for users to access your services without going through OAuth flows and enables them to make requests outside of the browser, such as with CLIs, cURL, etc.
Key characteristics
Link to this section- Scoped: each key is limited to a specific API
- Permissions: each key can be granted specific scopes/permissions
- Secure: keys are stored as secure hashes and never exposed after creation
- Manageable: keys can be created, rotated, and revoked as needed
- Long-lived: API keys don’t expire unless you set an expiration date (coming soon)
Key management models
Link to this sectionOrganization-level keys
Link to this section- Managed by organization administrators
- Suitable for B2B scenarios where customers need access to your APIs
- Keys are associated with specific organizations
- Admins can manage keys on behalf of their users
User-level keys
Link to this section- Managed by individual users
- Suitable for B2C scenarios where end users need API access
- Users create and manage their own keys
- Keys are associated with specific user accounts
How API keys work
Link to this section1. Register an API
Link to this sectionBefore you can issue API keys, you must register your APIs in Kinde:
- Provide a name and description
- Define available scopes
- Get a unique
api_idfor each API
Read more about API registration.
2. Create keys
Link to this sectionWhen creating an API key:
- Associate it with a registered API
- Assign specific scopes for access control
- Generate a secure secret (shown only once)
- Create a stable
key_idfor management
3. Use keys
Link to this sectionEnd users include the API key in their requests to your API:
- Usually sent in an
Authorizationheader - Your API extracts the key and verifies it with Kinde
- Kinde returns validation results including scopes and metadata
4. Manage keys
Link to this sectionKeys can be managed throughout their lifecycle:
- Rotate: generate new secrets while keeping the same key ID
- Revoke: mark keys as inactive
- Update: modify associated APIs or scopes (requires new key)
What you can use API keys for
Link to this sectionAI and automation
Link to this section- Enable AI agents to access your APIs
- Support automated workflows and integrations
- Provide secure access for machine learning applications
Third-party integrations
Link to this section- Allow customers to integrate with your platform
- Provide different access levels based on customer tier
- Track usage and enforce rate limits
Internal automation
Link to this section- Enable automated scripts and tools
- Provide secure access for CI/CD pipelines
- Support internal development and testing
Partner access
Link to this section- Grant partners access to specific APIs
- Control what data and features partners can access
- Maintain audit trails for compliance
Developer tools
Link to this section- Provide API access for developer tools and SDKs
- Enable self-service API exploration
- Support API testing and development
API key security features
Link to this sectionSecure storage
Link to this section- API key secrets are never stored in plain text
- All secrets are hashed using secure algorithms
- No way to retrieve the original secret after creation
Access control
Link to this section- Keys are tied to a single API
- Keys can be granted specific scopes/permissions
- Organization-level isolation prevents cross-tenant access