Use API Keys to Authenticate to Confluent Cloud

You can use Confluent Cloud API keys to authenticate to Confluent Cloud components and resources. Each API key is associated with a specific user account or service account and can be scoped for use with specific Confluent Cloud resources.

Get Started for Free

Sign up for a Confluent Cloud trial and get $400 of free credit.

Each Confluent Cloud API key consists of an API key ID and an API secret that are used to uniquely identify and authenticate an application when you use the Confluent CLI or the Confluent Cloud APIs.

API keys are long-lived, static credentials that provide direct authentication without token exchange. Once created, they remain valid until rotated or deleted.

API key format

Note

Starting July 30, 2025, API secrets include a cflt prefix. The prefix appears only in API secrets (not API key IDs) and helps secret scanning tools detect and flag accidentally leaked Confluent secrets in code, logs, and configuration files. API secrets created before this date may not include cflt; both old and new formats continue to work for authentication.

API key ID format

The API key ID is a unique identifier for the API key. It is used as the username in client configurations and is not considered secret information.

Example:

ABCD1234567890AB

API secret format

The API secret is the confidential credential used with the API key ID to authenticate. The secret is shown only once at creation and cannot be retrieved later.

API secrets created after July 30, 2025 have a cflt prefix followed by 60 characters consisting of A-Z, a-z, 0-9, + or /. For example:

cfltT8d8RzkNseTMEDKcjNM1BZTFPHqRn/dQm9q7w6SjzZ12wZfwjaJdipHZtDjw

Additionally, the final 6 characters contain a Base64-encoded CRC32 checksum of the prior 54 characters, which helps virtually eliminate false positives during offline secret scanning.

Secret detection

The structured format with checksum validation enables reliable detection of API secrets in code repositories, logs, and configuration files. A Python snippet to validate a probable API secret is shown below:

import base64
import re
import zlib

PATTERN = re.compile(r"cflt([A-Za-z0-9+/]{54})([A-Za-z0-9+/]{6})")
INPUT = "cfltT8d8RzkNseTMEDKcjNM1BZTFPHqRn/dQm9q7w6SjzZ12wZfwjaJdipHZtDjw"

for match in PATTERN.finditer(INPUT):
    checksum = zlib.crc32(match.group(1).encode("ascii"))
    expected = base64.b64encode(checksum.to_bytes(4, "little"))[:6]
    if match.group(2) == expected.decode("ascii"):
        print(f"Potential Confluent API Secret: {match.group(0)}")

Notes

• Do not infer scope or permissions from the format of the key or secret. Use the Confluent Cloud Console, Confluent CLI, or Confluent Cloud APIs to determine scope and permissions.
• Store the API secret securely (for example, a secrets manager). If the secret is lost, rotate or create a new key to obtain a new secret.
• API key operations (CreateAPIKey, DeleteAPIKey, UpdateAPIKey, GetAPIKey, GetAPIKeys) and authentication events (kafka.Authentication) are captured in audit logs for security monitoring and compliance. For audit event details, see API key management events and API key authentication events.

Resource scopes

Confluent Cloud API keys can be created for the following resource scopes:

Kafka cluster

Used to access the specified Kafka cluster. To create an API key for Kafka, you must specify the Environment and Kafka cluster.

Schema Registry

Used to access the specified Schema Registry. To create an API key for Schema Registry, you must specify the Environment and Schema Registry cluster.

ksqlDB cluster

Used to access the specified ksqlDB application. To create an API key for ksqlDB, you must specify the Environment and ksqlDB cluster.

Flink region

Used to access the Flink compute pools and statements in the specified region. To create an API key for Flink, you must specify the Environment, cloud service provider, and region.

Tableflow

Used to authenticate to Catalog APIs The API key is scoped to any topics the principal has access to, which can span across multiple Confluent Cloud environments and clusters.

Cloud resource management

Used to access the resource management APIs for managing the Confluent Cloud resources in your organization. For details, Confluent Cloud APIs.

To create and manage Confluent Cloud API keys, you can use the following tools:

• Confluent Cloud Console
• Confluent CLI

For recommendations on using API keys, see Best Practices for Using API Keys on Confluent Cloud.

API keys and Confluent Cloud accounts

Each API key is associated with a specific user account or service account. The limit on the number of API keys that can be associated with user or service accounts is specified in the service quotas for API keys.

• A best practice is to create separate service accounts associated with an API keys for each application or use case to narrow the operational impact of retiring a specific API key.
• Because a user’s access to a resource might change over time, you should avoid using API keys associated with user accounts for production environments. You can use these API keys for development and testing. When an API key is tied to a user account, it inherits the permissions of that account. Consequently, if the user account is deleted, the associated API key will also be deleted, potentially causing unexpected disruptions.
• Permissions are not associated with an API key, but with the user or service account. For details, see Role-based Access Control (RBAC) on Confluent Cloud and ACL Overview.
• Group mapping permissions are not granted to an API key associated with an SSO user account. For details, see Limitations.

Warning

Before deleting a user or service account, verify that any associated API keys are not in active use. To view the API keys associated with a user or service account, see View API keys.

When you delete a user account or service account, all access by that account is revoked, including access using any associated API keys.”