API Keys

API keys are managed at the organization level with role-based access control (RBAC). Each key can be assigned an organization-wide role and optional per-app roles, giving you fine-grained control over what each key can access.

Where are API keys managed?

Navigate to Settings > Organization > API Keys at console.capgo.app/settings/organization/api-keys.

The page displays two sections:

• RBAC Keys — Keys with assigned roles (recommended). These keys use the new role-based permission system.
• Legacy Keys — Older keys that use the simple mode-based system (read, upload, write, all) without role assignments.

How to create a new API key?

1. Click the ”+” button at the top of the RBAC keys table.

2. Fill in the Key information:

   • Name (required) — A descriptive label for the key (e.g. “CI/CD Deploy”, “Monitoring Read-Only”).
   • Create secure key (optional) — When checked, the key will be hashed server-side. The plain-text key is shown only once after creation. You will not be able to retrieve it later.
   • Set expiration date (optional) — Pick a date after which the key will stop working. Some organizations enforce mandatory expiration via policy.

3. Select an Organization role — This defines the key’s baseline permissions across the entire organization. Available roles (depending on your own role level):

   • None — No org-wide access; the key only has access to individually assigned apps.
   • Member — Basic read access to the organization.
   • Admin — Full administrative access to the organization (inherits access to all apps).

4. If the selected org role is not Admin, you can add per-app access:

   • Click ”+ Add App” to open the app picker.
   • Select one or more apps, then assign a role to each:
     • App Reader — Read-only access to the app.
     • App Uploader — Can upload new bundles.
     • App Developer — Can manage the app configuration and deployments.
     • App Admin — Full access to the app.

5. Click “Create”.

6. If you checked “Create secure key”, a modal will display the plain-text key. Copy it immediately — it cannot be retrieved after closing the modal.

How to manage (edit) an API key?

Click the wrench icon (Manage) on any RBAC key in the list. This opens the key detail page where you can:

• Change the key name.
• Update the organization role.
• Add, remove, or change per-app roles.

Click “Save Changes” when done.

How to regenerate an API key?

To regenerate the secret value of an API key, click the refresh icon (Regenerate) on any key in the list.

A confirmation dialog will appear. After confirming:

• For secure (hashed) keys: A new plain-text key is generated and displayed once in a modal. Copy it immediately.
• For plain keys: The key value is regenerated server-side.

Any integration using the old key value will stop working immediately.

How to delete an API key?

Click the trash icon (Delete) on any key in the list. Confirm the deletion in the dialog.

The key is revoked immediately — any request using it will fail.

Legacy keys

If you see keys in the Legacy Keys section (keys without role assignments), these use the older mode-based permission system (read, upload, write, all). They still work but do not benefit from RBAC fine-grained permissions.

Legacy keys can be regenerated and deleted from the list, but cannot be edited to add RBAC roles. We recommend creating new RBAC keys and deleting legacy keys when possible.

If you need to manage legacy keys directly, you can still access them at console.capgo.app/dashboard/apikeys. This page is deprecated and will be removed in a future update.