Create and Manage API Keys
You can generate and manage API keys in your PCCI Dashboard > Settings > API Keys section.
Linked to Organizations
API keys are issued at the organization level, not tied to individual users. This means:- Any action performed using an API key is attributed to the owning organization.
- Multiple team members can collaborate using separate keys within the same organization.
- API keys persist independently of individual user accounts.
Unlimited Keys per Organization
Each organization can create any number of API keys, allowing for flexibility across environments, services, or teams. Common usage patterns include:- One key per environment (e.g.,
development,staging,production) - One key per integration (e.g., billing automation, analytics)
- Temporary keys for CI/CD or testing purposes
IP Restrictions
To enhance security, API keys can be restricted to specific IP addresses or subnets:- Supports IPv4, IPv6, and CIDR notation
- Requests from unauthorized IPs will be rejected with a
403 Forbiddenerror
192.168.1.102001:0db8::/32203.0.0.0/8
Scoped Permissions
Each API key can be limited to a specific set of scopes, defining what parts of the API it can access. You’ll be prompted to set these scopes when creating an API Key in the dashboard, if none are specified the API Key will have full permissions.API Scopes Reference
| Scope | Description |
|---|---|
api_keys.read | View and list API keys associated with your organization. |
chats.completion | Access chat completion functionality. |
webhooks.create | Create new webhooks for event notifications. |
webhooks.read | View and list existing webhooks. |
webhooks.update | Update webhook configurations. |
webhooks.delete | Delete webhooks. |
webhooks_queue.read | View webhook queue data. |
webhooks_queue.update | Update webhook queue entries. |
notifications.read | View notifications. |
notifications.update | Update notifications. |
notifications_settings.read | View notification settings. |
notifications_settings.update | Update notification settings. |
organizations.create | Create new organizations. |
organizations.read | View organization information and details. |
organizations.update | Update organization metadata and settings. |
users.read | View and list users associated with your organization. |
users.update | Update metadata of existing users. |
users.sessions.read | View session data of existing users. |
roles.create | Create new roles with specific permissions. |
roles.read | View and list roles. |
roles.update | Update existing role configurations. |
roles.delete | Delete roles. |
tools.execute | Execute tools and integrations. |
files.encrypted.read | Read encrypted files. |
files.encrypted.create | Upload encrypted files. |
files.encrypted.delete | Delete encrypted files. |
A request made with a key lacking the required scope will return
403 Forbidden.Best Practices
- Rotate keys regularly to minimize exposure
- Use least privilege: only assign required scopes
- Restrict by IP where possible
- Avoid sharing keys between environments or teams