*** title: API Keys subtitle: Authenticate programmatic access to the Elacity API slug: api-keys -------------- API keys let you call the Elacity API from scripts, CI pipelines, and deployed agents without a browser session. Each key is scoped to a single organization. ## Create an API key 1. Sign in to [elacity.ai](https://elacity.ai/app) and select your organization 2. Navigate to **Settings → API Keys** 3. Click **Create API Key**, give it a descriptive name (e.g. `ci-deploy`, `production-agent`), and confirm 4. Copy the key immediately — it is only shown once Store your API key in a secrets manager or environment variable. If you lose it, revoke the old key and create a new one. ## Use the key Include the key in the `X-API-Key` header on every request: ```bash curl -H "X-API-Key: YOUR_API_KEY" \ https://elacity.ai/api/environments/list \ -d '{"orgSlug": "your-org"}' ``` All endpoints that accept API key authentication look for this header. If the key is missing or invalid the API returns `401 Unauthorized`. ## Manage existing keys From the **Settings → API Keys** page you can: * **View** a list of all active keys with their names and creation dates * **Revoke** a key you no longer need — revocation is immediate and cannot be undone API keys inherit the permissions of the organization they belong to. Any key for an organization can access all registries, agents, and environments within that organization. ## Security best practices * **Rotate regularly** — create a new key and revoke the old one on a schedule that fits your security policy * **Use one key per integration** — if a key is compromised you can revoke it without disrupting other systems * **Never commit keys to source control** — use environment variables or a secrets manager instead * **Restrict network access** where possible using firewall rules or allowlists ## Next steps Explore the available endpoints Set up your account and organization