Generate API Keys

Last modified on November 25, 2024

The StrongDM API allows for programmatic management of users, permissions, and resources within an organization.

API Credentials

To use the StrongDM API, you need to have an API access and secret key. These keys authorize every request when managing objects with the API, so please keep them safe.

The API access key is a hex string in the format auth-0123abcd, and the secret portion of the key is a string (for example, 1aBC23dEfgHiJklMnoPqr+stUVwxyz123ABC4dEFGhi1JKL/MNoPQR2S==).

From the Admin UI’s Principals > Tokens section, you can view, add, clone, and delete API keys.

API Keys & Admin Tokens
API Keys & Admin Tokens

How to add API keys

  1. In the Principals > Tokens section of the Admin UI, click Add API key.
  2. On the Create API Key page that displays, enter a name, determine when the credentials expire, and specify the scope of permissions.
    Create API Key
    Create API Key
  3. Click Create.
  4. Save the set of access and secret keys that are shown.

Clone keys

Cloning creates a new pair of keys with the same set of permissions as the original set.

Delete keys

Once deleted, API keys are instantly invalidated, preventing any further API requests from being made.

How to Use Keys

StrongDM has four language-specific SDKs and a Terraform provider. The following SDKs contain more information on the respective options.

What About the CLI?

The StrongDM CLI remains a convenient way of managing StrongDM resources with your user credentials. Please see the CLI reference docs for more information about the CLI.

API Keys Created by Suspended Users

What happens to API keys that are owned by a suspended user? API keys are still usable even if the user who created them is suspended.

When suspending a user, the Admin UI lists the API keys created by that user and asks if they should be deleted. Select No to keep them.

After confirming suspension, you can see in the Principals > Tokens page that the API keys continue to be owned by the suspended user. Because API keys are a public/private pair, new keys need to be created and the old keys need to be deleted when any automation systems use the new keys.