> ## Documentation Index
> Fetch the complete documentation index at: https://docs.stackone.com/llms.txt
> Use this file to discover all available pages before exploring further.

# API Keys

> Steps to generate and manage API keys

To connect your application with StackOne securely, you need to generate API keys. These keys authenticate your application and protect your data.

## Step-by-Step Guide to Generating an API Key

<Steps>
  <Step title="Access the API Key Management Section">
    Log in to StackOne and go to **Project Settings > API Keys** in the left navigation menu. This is where you can generate and manage your API keys.

    <Frame>
      <img src="https://mintcdn.com/stackone-60/l4MZTg99MwgmoSMp/images/guides/api-keys-list.png?fit=max&auto=format&n=l4MZTg99MwgmoSMp&q=85&s=ecd7cf3c9f7aaa1041615d3fcb34ac8c" alt="API Keys management page" width="1281" height="300" data-path="images/guides/api-keys-list.png" />
    </Frame>
  </Step>

  <Step title="Generate a New API Key">
    Click the **Create API key** button. In the popup dialog, enter a name for your key (e.g., `my-agent-key` or `production-hris-sync`). This name is a label and cannot be changed later.

    <Frame>
      <img src="https://mintcdn.com/stackone-60/l4MZTg99MwgmoSMp/images/guides/api-key-create-dialog-scopes.png?fit=max&auto=format&n=l4MZTg99MwgmoSMp&q=85&s=bedd7a4a00797c83caf72edd6792cbc9" alt="Create API key dialog with scopes" width="1281" height="959" data-path="images/guides/api-key-create-dialog-scopes.png" />
    </Frame>
  </Step>

  <Step title="Configure API Key Scopes (optional)">
    New keys come with a default set of scopes enabled (see the **Default** column below). Expand the **Scopes** section to enable or restrict access based on your application's needs.

    ### Available Scopes

    | Scope            | Default      | Description                                                                                                                                                                                                                                                                    |
    | ---------------- | ------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
    | **Platform API** | Read + Write | Access to account management, [session tokens](/platform/using-session-tokens), and connector profiles. Required for [Platform API](/platform/introduction) operations such as StackOne Connect and account management.                                                        |
    | **Actions**      | Execute      | Allows you to interact with actions via RPC and MCP.                                                                                                                                                                                                                           |
    | **Connectors**   | Read         | Access to custom connector management. **Read** (`connectors:read`) allows downloading connectors from the registry. **Write** (`connectors:write`) allows pushing and deleting connectors. Required for [Connector Engine](/guides/connector-engine/introduction) operations. |
    | **Credentials**  | Off          | Retrieve stored credentials for direct provider access (read-only). Required for StackOne CLI and running actions outside the platform.                                                                                                                                        |
    | **Unified API**  | Read + Write | Access to all legacy (unified) endpoints (HRIS, ATS, CRM, LMS, etc.) for reading and writing data across connected providers.                                                                                                                                                  |

    <Tip>
      For AI agents, you typically need:

      * **Platform API Read**: to list connected accounts
      * **Actions Execute**: to interact with actions via RPC and MCP
      * **Connectors Read**: to download connectors from the registry
      * **Credentials Read**: to retrieve stored credentials for direct provider access
    </Tip>
  </Step>

  <Step title="Copy and Store the API Key">
    After clicking **Generate**, the API key is displayed on-screen. Copy it immediately and store it securely. This is the only time it will be shown. If you lose the key, you'll need to generate a new one.

    <Warning>
      Store the key in a secure location such as a password manager or secrets vault. Never commit API keys to source control.
    </Warning>
  </Step>

  <Step title="Manage Your API Keys">
    Your new API key appears in the **API Keys** table. From here you can:

    * **Enable/Disable** keys using the toggle switch
    * **View scopes** for each key
    * **Delete** keys that are no longer needed

    The **Last used** column helps you identify stale keys that should be revoked.
  </Step>
</Steps>

## Using the generated API Key

You will need to include the API key for every API call. Pass the API key as the username for Basic authentication (no password required) when calling any API endpoint, such as the [List Accounts endpoint](/platform/api-reference/accounts/list-accounts).

The use of API keys is tracked, allowing you to monitor their activity and revoke them if necessary. The **Last used** column on the API keys table indicates the last call made with each key. For security reasons, you are encouraged to regularly review your API keys list and revoke any that are no longer needed.
