API keys let scripts, tools, and services authenticate against your organization's resources without a human logging in. Use them for CI/CD pipelines, infrastructure-as-code (like Terraform), monitoring agents, and anything else that needs to call the portal programmatically.
Keys belong to the organization, not to you personally. Anyone authenticating with the key acts on the organization, limited to whatever scopes you grant.
Before you start
- API key creation is gated by role:
- Owners and Admins can create any key.
- Billing members can only create keys with the Billing scope.
- Technical (Member) role can only create resource scopes (VPS, BGP, Transit).
- Read-only members can't create keys at all.
- Each organization can have up to 10 active keys at a time. If you're at the cap, deactivate or delete an unused one to free a slot.
- The key value is shown exactly once at creation time. You have to copy it before closing the dialog - there is no way to see it again afterward.
- Have a place to paste the key value ready before you start (your password manager, your CI's secret variables, etc.).
1. Open the API Keys page
In the sidebar on the left, find the API Keys link under your organization, and click it.
You'll see a list of existing keys (if any), with each row showing the key's scopes, IP allowlist status, last-used time, and who created it. In the top right of the page there's the New API key button, and below the list there are panels for Interactive Docs and the Base URL.
2. Start a new key
- Click New API key in the top right of the page.
- The New API Key dialog opens.
3. Name the key
In the Key name field, type something descriptive - CI/CD pipeline, Datadog monitor, Terraform main, Backup script.
The name shows up in:
- The API Keys list.
- Audit log entries every time the key is used.
- The "this key was created" email that goes out to admins.
Make it specific enough that, six months from now, you'll know exactly what it does and whether you can safely revoke it.
4. Pick scopes
Scopes are what the key is allowed to do. They're grouped by area:
- VPS: Read (list servers, see stats, IPs, graphs) plus seven write sub-scopes for Power, Reinstall, Resize, Network, Block storage, Settings, and Cancel.
- Billing: Read invoices, balance, credits.
- BGP: Read peers and ASNs, plus Write to mutate peers and route policy.
- Transit: Read services, usage graphs, port data.
How to interact with the section:
- Click a group header (like "VPS") to toggle every scope in that group at once. Good for "give it all VPS access" cases.
- Click the chevron on the right of a group to expand it and pick individual sub-scopes.
- Read scopes have a grey badge. Write scopes are tinted to signal their blast radius - the more dangerous the action, the more obvious the visual.
A few rules to keep in mind:
- Pick the minimum. Only check the scopes the key actually needs. The fewer scopes, the smaller the damage if the key ever leaks.
- Non-admin members can't mix billing and resource scopes in the same key. If you need both areas, make two separate keys.
5. (Optional) Lock the key to specific IPs
In the IP allowlist field, you can paste a comma-separated list of IPs or CIDR ranges. The portal will reject requests using this key from any other address - even if the key value is correct.
Example: 203.0.113.0/24, 198.51.100.1
- Leave the field blank to allow requests from any IP.
- You can edit this list later from the same edit dialog without changing the key value.
This is one of the strongest things you can do to harden a key.
6. (Optional) Set an expiry date
In the Expiry field, pick a date. The key automatically stops working at midnight UTC on that date.
- Leave it blank if you want the key to be valid forever (or until you delete it manually).
- For short-lived CI tokens or contractor access, an expiry is a smart safety net - it auto-revokes itself if the cleanup step ever gets forgotten.
7. Create the key and copy the value
- Click Create Key at the bottom of the dialog.
- The dialog flips to a success state showing the actual key value, which starts with sk_….
- Read the notice carefully: This key will not be shown again. Copy it now. That's literal. Once you close this panel, the raw key value is gone. The portal stores a hash for verification, but the original string is unrecoverable.
- Click the key value (or the Copy button) to copy it to your clipboard.
- Paste it immediately into your secret store:
- Your password manager.
- Your CI provider's secret variables (GitHub Actions, GitLab CI, CircleCI, etc.).
- Your .env file (and make sure that file is in .gitignore).
- Wherever the consuming service reads it from.
- Click Done to close the dialog.
Using the key
Send the key in the X-API-Key request header against the portal's base URL (shown on the API Keys page):
X-API-Key: sk_…your_key…
For a live, interactive view of every endpoint, request shape, and response, click Interactive Docs at the top of the API Keys page. It opens the live OpenAPI browser where you can try requests with your key.
What changes from here
- The key shows up in the API Keys list with a green Active badge, the scope tags you picked, an IP locked badge if applicable, and Never used until its first real request.
- Every request the key makes is recorded in the Activity tab on the API Keys page (visible to owners and admins).
- A confirmation email goes to you, plus the organization's owners, admins, and billing recipients, so any new key creation gets noticed.