1. Home
2. Manage Accounts and Access
3. Authenticate
4. API keys

Use API Keys

You can use different types of API keys to manage access and authentication to different parts of the service. An API key consists of a key and a secret.

• Kafka API keys are required to interact with Kafka clusters in Confluent Cloud. Each Kafka API key is valid for one specific Kafka cluster.
• Schema Registry API keys are required to interact with Schema Registry in Confluent Cloud. Each Schema Registry API key is valid for one specific Schema Registry.
• ksqlDB API keys are required to interact with ksqlDB apps in Confluent Cloud. Each ksqlDB API key is valid for one specific ksqlDB application.
• Cloud API keys are required to use the Confluent Cloud Metrics API. Cloud API keys are scoped to your entire Confluent Cloud organization, not to a particular resource.

You can create and manage API keys by using either the Confluent Cloud CLI or the Confluent Cloud Console.

For recommendations on using API keys, see Best Practices for using API Keys.

Ownership of API keys

Each API key belongs to either a specific user account or a specific service account. The number of API keys that can belong to a given user or service account is limited. Creating separate service accounts to own new API keys for new applications and use cases is recommended. Service accounts support access control lists (ACLs) so you can limit access to the minimum required by the new application.

Caution

When you delete a user account or service account, all associated API keys will also be deleted. Any client applications using a deleted API key will lose access, which may cause an outage for your streaming application. Always confirm that none of the API keys owned by an account are in active use before deleting a user or service account.

Resource-specific API keys for Kafka, Schema Registry, or ksqlDB

API keys are required to access Kafka clusters, Schema Registry, and ksqlDB apps in Confluent Cloud. Each resource API key is valid for one specific resource: one Kafka cluster, or one Schema Registry, or one ksqlDB app.

Create resource-specific API Keys using the Confluent Cloud Console

Prerequisite:

Access to Confluent Cloud with an active cluster. Log in to Confluent Cloud at https://confluent.cloud.

Important

Only users who are assigned the OrganizationAdmin role can create an API key. For details, refer to Confluent Cloud RBAC Roles.

1. If you have more than one environment, select an environment.

2. Select the resource you want to create an API key for (Kafka or Schema Registry).

   Note

   ksqlDB API keys must be managed using the Confluent Cloud CLI.

3. If this is the first API key for the resource, click Create key. If API keys already exist, click + Add key.

   

   The API key and secret are generated and displayed.

   

4. Click Copy to copy the key and secret to a secure location.

   Important

   The secret for the key is only exposed initially in the Create API key dialog and cannot be viewed or retrieved later from the web interface. Store the secret and its corresponding key in a secure location. Do not share the secret for your API key.

5. (Optional but recommended) Enter a description of the API key that describes how you intend to use it, so you can distinguish it from other API keys.

6. Select the confirmation check box that you have saved your key and secret.

7. Click Continue. The key is added to the keys table.

   

   Manage API keys in the API Access tabs

   Tip

   You can search for API keys, add or delete keys, and edit descriptions of keys on the appropriate API Access tab.

Create resource-specific API keys using the Confluent Cloud CLI

Prerequisites:

• Access to Confluent Cloud with an active cluster.
• Confluent Cloud CLI is installed.
• Only users who are assigned the OrganizationAdmin role can create an API key. For details, refer to Confluent Cloud RBAC Roles.

1. Log in to your cluster using the ccloud login command.

   ccloud login
   

   Enter your Confluent Cloud credentials:
   Email: susan@myemail.com
   Password:
   

2. Create the API key and secret with the Kafka, Schema Registry, or ksqlDB resource ID (<resource-id>) specified. You can find the Kafka resource ID by using the ccloud kafka cluster list command. You can find the Schema Registry resource ID by using the ccloud schema-registry cluster describe command. You can find the ksqlDB resource ID by using the ccloud ksql app list command.

   ccloud api-key create --resource <resource-id> --description <prod key>
   

3. Save the API key and secret output in a secure location. The secret is not retrievable later.

   Tip

   To use an existing API key and secret, run this command with the resource ID (<resource-id>), API key (<api-key>), and API secret (<api-secret>) specified. This command registers an API key and secret created by another process and stores it locally.

   ccloud api-key store <api-key> <api-secret> --resource <resource-id>
   

4. Specify the Kafka API key and secret to use with subsequent commands run on the resource. For more information, see ccloud api-key use.

   ccloud api-key use <api-key>
   

   Note

   Specifying which API key to use is not necessary for Schema Registry resources.

Edit resource-specific API key descriptions using the Confluent Cloud Console

You can add, edit, or delete an optional description of an API key.

1. From the appropriate API Access tab for the Kafka, Schema Registry, or ksqlDB resource, select the key that you want to edit.
2. Click Edit description. Enter or edit the existing description. To delete the description, clear the text from the Description box.
3. Click Save.

Delete resource-specific API keys using the Confluent Cloud Console

You can delete an API key you no longer use or that has had its secret compromised.

1. From the appropriate API Access tab for the Kafka, Schema Registry, or ksqlDB resource, select the key that you want to delete.

2. Click the trash icon. The Confirm API key deletion dialog appears.

   

3. Click Confirm.

   Caution

   The delete API key action cannot be undone.

Create Kafka API Keys and associate with existing user account

You can create a new Kafka API key and associate it with an existing user account.

1. Navigate to the cluster in which you want to create a Kafka API key.
2. Click the API access tab, and then click +Add key.
3. Select Create an API key associated with your account. When you specify this option, the new API key will inherit the same access permissions that are already specified for your existing user account.
4. Enter a description, save your API key and secret in a safe place, and select the checkbox indicating you have saved the key and secret. Click Save.

Confluent Cloud API keys

Confluent Cloud API keys allow you to use the Confluent Cloud Metrics API. Cloud API keys are scoped to your entire Confluent Cloud organization, not to a particular resource.

Create Cloud API keys using the Confluent Cloud Console

Prerequisites:

• Access to Confluent Cloud
• You must be assigned the OrganizationAdmin role to create an API key in Confluent Cloud. For details, refer to Confluent Cloud RBAC Roles.

1. From the Administration menu, click Cloud API keys or go to https://confluent.cloud/settings/api-keys.

2. Click Add key.

3. Choose whether to create the key under your user account or under a service account. Creating the key under a service account is recommended so you can scope access to specific resources.

   The API key and secret are generated and displayed.

4. Click Copy to copy the key and secret to a secure location.

   Important

   The secret for the key is only exposed initially in the Create API key dialog and cannot be viewed or retrieved later from the web interface. Store the secret and its corresponding key in a secure location. Do not share the secret for your API key.

5. (Optional but recommended) Enter a description of the API key that describes how you intend to use it, so you can distinguish it from other API keys.

6. Select the confirmation check box that you have saved your key and secret.

7. Click Save. The key is added to the keys table.

Create Cloud API keys using the Confluent Cloud CLI

Prerequisites:

• Access to Confluent Cloud.
• Install the Confluent Cloud CLI is installed.
• You must be assigned the OrganizationAdmin role to create an API key in the Confluent Cloud CLI. For details, refer to Confluent Cloud RBAC Roles.

1. Log in to your cluster using the ccloud login command.

   ccloud login
   

   Enter your Confluent Cloud credentials:
   Email: susan@myemail.com
   Password:
   

2. Create the Cloud API key and secret with cloud specified as the --resource. You can optionally add a description for the key by including the --description flag.

   ccloud api-key create --resource cloud --description <key description>
   

3. Save the API key and secret output in a secure location. The secret is not retrievable later.

   Tip

   To use an existing API key and secret, run this command with the resource ID (cloud), API key (<api-key>), and API secret (<api-secret>) specified. This command registers an API key and secret created by another process and stores it locally.

   ccloud api-key store <api-key> <api-secret> --resource cloud
   

Important

When you remove a user’s role assignment on a cluster for which the user created an API key, then the API key will continue to work even after the user’s role assignment has been removed. For example:

• Bob has the OrganizationAdmin role.
• Bob creates an API key for cluster_1 in the Prod_1 environment.
• Bob’s roles are updated, and he no longer has the OrganizationAdmin role in Prod_1. Now he is assigned the EnvironmentAdmin role for the Dev_1 environment.
• The API key that Bob created continues to work for cluster_1.

In such cases, if the API key allows unintended access, you must delete it:

# List the API keys owned by Bob
ccloud api-key list --"Bob"
# Delete the API key that Bob created
ccloud api-key delete <api-key>