API Keys

Before your users can manage API keys, configure your WorkOS environment.

To enable API key management for your users, ensure at least one role includes the widgets:api-keys:manage permission. This permission allows users to access the API Keys Widget and manage keys within their organization.

Assign permissions to roles in the WorkOS Dashboard under Roles & Permissions.

Control which permissions your users can assign to API keys by configuring API key permissions in your environment.

For example, you might create permissions like:

• posts:read – Read access to posts
• posts:write – Write access to posts
• users:read – Read access to user data

By configuring only posts:read and posts:write as available API key permissions, your users can create API keys with granular access controls, such as read-only keys that only have the posts:read permission.

Configure API key permissions in the WorkOS Dashboard on the Roles & Permissions page under Organization API Key Permissions.

The easiest way to enable API key management for your users is through the API Keys Widget. This widget provides a complete interface for creating, viewing, and revoking API keys.

The widget allows your users to:

• Create new API keys with custom names
• Select specific permissions for each key
• View existing API keys (with obfuscated values for security)
• Revoke API keys when they’re no longer needed

The widget interacts with the WorkOS API and renders the user interface in your app, so your customers get full control over their API keys in just a few lines of code.

Manage API keys programmatically using the WorkOS API. This is useful for building custom API key management interfaces or automating key lifecycle operations.

• Create an API key for an organization
• List API keys for an organization
• Delete an API key

Once API keys have been created, validate these keys when they are used to authenticate API requests. When an API request includes an API key (typically in the Authorization header), validate it with WorkOS to ensure it is legitimate and retrieve the associated permissions.

The validate API key endpoint returns the complete API key object, including:

• The organization that owns the key
• The permissions assigned to the key
• Usage metadata like creation and last-used timestamps

This information allows your application to not only authenticate the request but also authorize it based on the specific permissions granted to that API key.

import { NextResponse } from 'next/server';
import { validateApiKey } from '@workos-inc/authkit-nextjs';

export async function GET() {
  const { apiKey } = await validateApiKey();

  if (!apiKey) {
    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
  }

  return NextResponse.json({ success: true });
}

View and revoke your customers’ API keys through the WorkOS Dashboard or via the API:

1. Navigate to the Organizations section in your WorkOS Dashboard
2. Click on the organization you want to view
3. Select the API Keys tab

From this view, you can see all API keys created by the organization, including their names, permissions, creation dates, and last usage information. This provides valuable visibility into how your customers are using API keys.

API key lifecycle changes are tracked via the api_key.created and api_key.revoked events. View these events on the events page or listen for them in your application via the events API.