Create and manage API keys

Authenticate and authorize requests or tools to Cloud Observability APIs.

Overview

API keys let you authenticate and authorize requests or tools to Cloud Observability APIs. API keys have either organization- or project-level access.

Only some roles can manage API keys in Cloud Observability. Your role also determines the kinds of API keys you can create. The table below shows what the different roles can do with API keys:

Permission Organization Admin Organization Billing Admin Organization Editor Organization Viewer
Create API keys Yes Yes Yes* No
Revoke API keys Yes Yes Yes No
View API keys Yes Yes Yes No

* Organization Editors can only create API keys with Organization Editor or Organization Viewer permissions.

As of December 2024, only users with log access can create API keys. Options are being explored to allow API key creation by users without log access.

Using API keys

For API requests, include the API key in the Authorization header using the bearer token:

1
2
3
4
5

$ curl --request POST \
     --url https://api.lightstep.com/public/v0.2/organization/projects/project/notebooks \
     --header 'Authorization: YOUR-API-KEY' \
     --header 'accept: application/json' \
     --header 'content-type: application/json'

When integrating with tools, use one API key per tool. That step helps secure your systems.

API keys expire after one year for security reasons. To view expiration dates, click Settings > API keys.

Create API keys

Follow these steps to create a Cloud Observability API key:

  1. In Cloud Observability, click Settings > API keys.
  2. Click Create new API key and fill out the form:
    1. Name your API key under Add a description. The name appears and is searchable on the API keys page.
    2. Select For entire organization or For a specific project. For project API keys, click the drop-down to choose the relevant project.
    3. Click the Select role drop-down to choose the API key’s role. The API key gets every permission associated with that role.
  3. Click Confirm to view your API key in a dialog. For security reasons, this is the only time you view the key. Copy and paste the key in a safe place for future use.
  4. Click Copy & Close to return to the API key page.

Your API key details appear in the Active tab. The expiration date is in the Expires column.

You can’t edit API key permissions. If you want to change an API key’s access level, create a new API key, update all places with the new API key, and revoke the original API key.

Revoke API keys

Follow the below steps to permanently disable an API key. Cloud Observability displays revoked API keys – and who revoked them – in the Revoked tab.

  1. In Cloud Observability, click Settings > API keys.
  2. Find the key you want to revoke and click Revoke.
  3. In the dialog, click Revoke key to disable the key. Cloud Observability displays Successfully revoked key to confirm your change.

Updated Nov 21, 2023