API Keys¶
Programmatic access to the RosettaHub API with scoped, time-limited credentials.
Overview¶
API Keys allow you to authenticate with the RosettaHub API from scripts, CI/CD pipelines, SDKs, and custom integrations -- without using your interactive session credentials. Each key can be scoped to specific API methods or method tags and has a configurable expiration timeout.
API Keys are managed as platform artifacts in the RosettaHub Console alongside your other resources.
When to Use API Keys¶
| Use Case | Description |
|---|---|
| Automation scripts | Automate formation launches, resource management, or budget transfers from shell scripts or cron jobs |
| CI/CD pipelines | Integrate RosettaHub provisioning into GitHub Actions, GitLab CI, Jenkins, or other pipelines |
| SDK integrations | Authenticate Python, Java, or JavaScript SDK calls to the RosettaHub API |
| Custom applications | Build internal tools or dashboards that interact with RosettaHub programmatically |
| Scheduled workflows | Drive scheduled operations beyond what Cloud Autopilot covers |
Creating an API Key¶
- Open the API Keys view in the RosettaHub Console
- Click Create API Key
- Configure the key:
| Field | Description |
|---|---|
| Label | A descriptive name for the key (e.g., "CI/CD Pipeline", "Budget Script") |
| Timeout (minutes) | How long the key remains valid. Set to 0 for no expiration. |
| Method Name Filters | Optional. Comma-separated list of specific API method names this key can call. Leave empty for full access. |
| Method Tag Filters | Optional. Comma-separated list of method tags. The key can only call methods matching these tags. Leave empty for full access. |
- Click Create
- The API key secret is displayed once -- copy and store it securely
Store your secret immediately
The API key secret is shown only at creation time. Once you close the dialog, it cannot be retrieved or restored. If you lose the secret, delete the key and create a new one.
Key Attributes¶
| Attribute | Description |
|---|---|
| Prefix | The key's public identifier (visible in the API Keys view) |
| Label | Descriptive name you assigned at creation |
| Owner | The user who created the key |
| Method Name Filters | API methods this key is authorized to call (empty = all) |
| Method Tag Filters | Method tags this key is authorized for (empty = all) |
| Creation Time | When the key was created |
Scoping Keys¶
API Keys can be scoped to limit what they can do:
- Full access -- leave both filter fields empty. The key can call any API method your user account has access to.
- Method-scoped -- specify method names (e.g.,
launchFormation,stopMachine) to restrict the key to specific operations. - Tag-scoped -- specify method tags (e.g.,
read-only,metacloud) to restrict the key to categories of operations.
Principle of least privilege
Create separate keys for different integrations, each scoped to only the methods it needs. A CI/CD key that only launches formations should not have access to budget or user management methods.
Managing API Keys¶
| Action | Description |
|---|---|
| Show Info | View key details (prefix, label, filters, creation time) |
| Customize | Update the key's label |
| Delete | Permanently revoke the key |
Deleted keys are immediately invalidated -- any scripts or integrations using the key will stop working.
Security Best Practices¶
Key management
- Never commit API keys to source control -- use environment variables or secret managers
- Rotate keys regularly -- delete old keys and create new ones on a schedule
- Use scoped keys -- limit each key to the minimum required methods
- Set timeouts for temporary integrations -- the key auto-expires after the specified duration
- Delete unused keys -- review your API Keys view periodically and remove keys that are no longer needed
- One key per integration -- if a key is compromised, you only need to rotate that single integration
Related Topics¶
- Identity and Access -- Keycloak SSO and authentication
- Cloud Autopilot -- Built-in scheduling for recurring operations
- Cloud Accounts -- Account management via API