> ## Documentation Index
> Fetch the complete documentation index at: https://docs.devtune.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# API Keys

> Create, scope, expire, and revoke project-scoped DevTune API keys for the public REST API and MCP server, all managed from the team-account sidebar.

The **API Keys** page is the account-level UI for managing project-scoped keys used by the DevTune API and MCP server.

Each key belongs to exactly one project, but key management happens from the team-account sidebar so your team can see all keys in one place.

## What the API Keys Page Shows

The page shows a table of existing keys across the account, including:

* **Name**
* **Key prefix**
* **Project**
* **Status**
* **Scopes**
* **Expiration**
* **Last used**
* **Created date**

If you have revoked keys, you can use the **Hide revoked** toggle to keep the table focused on active credentials.

## Creating a Key

Click **Create API Key** to open the creation dialog.

When creating a key, you choose:

* A friendly **name**
* The **project** the key should access
* An optional **expiration**
* The allowed **API scopes**

After creation, DevTune shows the raw key **once**. Copy it immediately and store it securely.

## Scopes

API keys can be left broad or narrowed to specific endpoint groups.

Use scopes when you want to:

* Limit a BI dashboard to read-only visibility data
* Restrict automation to actions or webhook management
* Give an agent the smallest access surface it needs

If a key has all scopes selected, it behaves like a full-access key for that project.

## Updating and Revoking Keys

From the table you can:

* Open the **Scopes** dialog to narrow or expand endpoint access
* **Revoke** a key you no longer trust or need

Revocation is immediate. Revoked keys stop working and can remain visible in the table when you disable **Hide revoked**.

## Expiration

Keys support optional expiration windows such as:

* No expiration
* 30 days
* 60 days
* 90 days
* 180 days
* 1 year

Use short-lived keys for temporary automations or contractor access.

## Permissions

Only team members with the `settings.manage` permission can manage API keys.

## Best Practices

* Create separate keys for separate systems
* Name keys after the integration that owns them
* Prefer scoped keys over full-access keys
* Use expiration for temporary access
* Revoke keys immediately when an integration is retired

## Next Steps

* **[Authentication](/api-reference/authentication)** - Learn how to use keys in requests
* **[MCP Server](/api-reference/mcp-server)** - Connect agent tooling with scoped keys
* **[Agent Activity](/account-billing/agent-activity)** - Audit how keys are being used
