> ## Documentation Index
> Fetch the complete documentation index at: https://docs.incident.io/llms.txt
> Use this file to discover all available pages before exploring further.

# API keys

> Control API access with account-level and team-scoped permissions.

Create and manage API keys from [**Settings → API keys**](https://app.incident.io/~/settings/api-keys).

## Creating an API key

<Warning>
  We'll only show the API key token once at creation time, so store it somewhere safe.
</Warning>

API keys can have account-level permissions, team-scoped permissions, or a combination of both. This means teams can manage their own config via the API without risking changes to other teams' resources.

When you create a new API key, you choose which permissions it has. You can only grant permissions that you yourself have. If you only have team-level permissions, you'll only be able to create keys with team-scoped permissions.

### Account-level permissions

Account-level permissions apply across your entire organization. These are the same permissions available when creating [custom roles](/admin/user-permissions#custom-roles), such as creating incidents, managing workflows, or reading catalog data.

### Team-scoped permissions

Team-scoped permissions restrict what a key can do to resources owned by specific teams.

## Editing an API key

Existing API keys can be edited after creation. You can update the key's name, add or remove account-level permissions, and add or remove team-scoped permissions.

To edit a key, you need the same permissions required to manage it — see [Permissions required](#permissions-required) below.

## Permissions required

To manage API keys, you need one of:

* The account-level **Manage API keys** permission (via a [base or custom role](/admin/user-permissions))
* The team-scoped **Manage API keys** permission (via a [team role](/admin/team-roles))

Users with only team-scoped permissions can create, edit, and delete keys within their team, but cannot manage keys belonging to other teams.

<AccordionGroup>
  <Accordion title="Can an API key be scoped to multiple teams?">
    Yes. A key can be associated with multiple teams, but it will have the same set of team-scoped permissions across
    all of them.
  </Accordion>

  <Accordion title="Can a key have both global and team-scoped permissions?">
    Yes. A single key can have account-level permissions (e.g., read catalog data) alongside team-scoped permissions
    (e.g., manage schedules for a specific team).
  </Accordion>
</AccordionGroup>