Manage Confluent Cloud API Keys

API keys are required to produce or consume to your Apache Kafka® clusters in Confluent Cloud. Separate API keys are required for Kafka, Schema Registry, and ksqlDB. To create Schema Registry keys, see Create Schema Registry API Keys in the UI. To create ksqlDB keys, see Create streaming queries in Confluent Cloud ksqlDB.

You can create API keys by using either the Confluent Cloud CLI or web user interface.

Caution

When you delete a user account or service account, all associated API keys will also be deleted. Any client applications using a deleted API key will lose access, which may cause an outage for your streaming application. Always confirm that none of the API keys owned by an account are in active use before deleting a user or service account.

Create API Keys using the CLI

Prerequisites:
  1. Log in to your cluster using the ccloud login command with the cluster URL specified.

    ccloud login
    
    Enter your Confluent Cloud credentials:
    Email: susan@myemail.com
    Password:
    
  2. Create the API key and secret with the Kafka or Schema Registry resource ID (<resource-id>) specified. You can find the Kafka resource ID by using the ccloud kafka cluster list command. You can find the Schema Registry resource ID by using the ccloud schema-registry cluster describe command.

    ccloud api-key create --resource <resource-id> --description <prod key>
    
  3. Save the API key and secret output in a secure location. The secret is not retrievable later.

    Tip

    To use an existing API key and secret, run this command with the resource ID (<resource-id>), API key (<api-key>), and API secret (<api-secret>) specified. This command registers an API key and secret created by another process and stores it locally.

    ccloud api-key store <api-key> <api-secret> --resource <resource-id>
    
  4. Specify the Kafka API key and secret to use with subsequent commands run on the Kafka cluster. For more information, see ccloud api-key use.

    ccloud api-key use <api-key>
    

    Note

    Specifying which API key to use is not necessary for Schema Registry resources.

Create Kafka API Keys in the UI

Prerequisite:
Access to Confluent Cloud with an active cluster. Log in to Confluent Cloud at https://confluent.cloud.
  1. If you have more than one environment, select an environment.

  2. Select a cluster from the navigation bar.

  3. Click the Kafka API keys tab.

  4. If this is the first API key for the cluster, click Create key. If API keys already exist, click + Add key.

    Create API key for Kafka cluster in Confluent Cloud

    The API key and secret are generated and displayed.

    Create an API key dialog
  5. Click Copy to copy the key and secret to a secure location.

    Important

    The secret for the key is only exposed initially in the Create API key dialog and cannot be viewed or retrieved later from the web interface. Store the secret and its corresponding key in a secure location. Do not share the secret for your API key.

  6. (Optional but recommended) Enter a description of the API key.

  7. Select the confirmation check box that you have saved your key and secret.

  8. Click Continue. The key is added to the keys table.

    API access keys Confluent Cloud

    Manage API keys in the API Access tabs

    Tip

    You can search for API keys, add or delete keys, and edit descriptions of keys on the appropriate API Access tab.

Create Schema Registry API Keys in the UI

To use Confluent Cloud Schema Registry for managing Kafka clusters, you need an API key specific to Schema Registry.

Prerequisite:
Access to Confluent Cloud with an active cluster. Log in to Confluent Cloud at https://confluent.cloud.
  1. If you have more than one environment, select an environment.
  2. Click Schemas on the navigation bar.
  3. Click the API access tab.
  4. If this is the first API key for the cluster, click Create key. If API keys already exist, click + Add key. The API key and secret are generated and displayed.
  5. (Optional but recommended) Enter a description of the API key.
  6. Select the confirmation check box that you have saved your key and secret.
  7. Click Continue. The key is added to the keys table.

Edit API key descriptions using the UI

You can add, edit, or delete an optional description of an API key.

  1. From the appropriate API Access tab (accessed from either Kafka Cluster settings or Schema Registry), select an Access Key.
  2. Click Edit description. Enter or edit the existing description. To delete the description, clear the text from the Description box.
  3. Click Save.

Delete API keys using the UI

You can delete an API key you no longer use or that has had its secret compromised.

  1. From the API Access tab (accessed from either Kafka Cluster settings or Schema Registry), select the key that you want to delete.

  2. Click the trash icon. The Confirm API key deletion dialog appears.

    Confirm delete API access key Confluent Cloud
  3. Click Confirm.

    Caution

    The delete API key action cannot be undone.