Issue a project-scoped API key
An API key is the credential an application presents when it calls a gateway. Keys are created in the context of a project, so a key belongs to one project and works only against that project's gateway. This guide creates a project-scoped key and explains the isolation it carries.
Because keys are project-scoped, they are part of what keeps projects isolated from one another: a key issued for one project is refused on any other project's gateway, and it can reach only the models that project has been granted. Creating a key is done from the project context, so the project must be selected first.
Persona: Platform operator or project administrator working in the Admin Dashboard.
Estimated time: 5 minutes per key.
Outcomes
By the end of this guide:
- An API key exists that is scoped to a single project.
- The key's scope is understood: it authenticates only against that project's gateway.
- The one-time nature of the key value is understood, so it is captured securely at creation.
Prerequisites
- Membership of the project, with permission to create keys.
- The project already has a gateway provisioned, so the key has an endpoint to authenticate against. See Provision a gateway for a project.
Step 1: Select the project
- Use the project switcher at the top of the application to select the project the key is for, for example
bedrock-team. - Confirm the application has re-scoped to that project before creating the key.
Everything done in the application, including key creation, applies to the currently selected project. Selecting the wrong project produces a key that will not work against the intended gateway.
Step 2: Create the API key
- Open API Keys and select Add API Key.
- Name the key so its purpose is recognisable later, then create it.
- Copy the key value immediately. It is shown once, so it must be captured at this point and stored securely.
Step 3: Understand the key's scope
The key is bound to the project it was created in.
- It authenticates only against that project's gateway hostname. Presented to another project's gateway, it is refused with
403. - It can call only the models granted to the project. A request for a model the project does not have returns
404.
This scoping is automatic and needs no extra configuration. The same isolation applies to MCP: a profile reached with a key from another project, or on another project's gateway, is refused. Organisation-wide key practices, including rotation and revocation, are covered in Onboard developers and issue keys.
What to do next
- Provision a gateway for a project: the endpoint this key authenticates against, including how to repoint existing clients. See Provision a gateway for a project.
- Grant MCP servers and profiles to a project: extend the project with tools reached using this same key. See Grant MCP servers and profiles to a project.
Where to go next