DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS /// DOCS

API·CONCEPTS·WORKSPACES API KEYS

Workspaces & API keys

Every API key belongs to exactly one workspace. There is no global or cross-workspace key — if you operate in multiple workspaces, you mint a separate key per workspace.

Why workspace-scoped

Permission isolation. A key for workspace A can't read workspace B's data, even if the same human is a member of both.
Independent rate limits. Workspaces don't share buckets.
Independent revocation. Rotating a key in one workspace doesn't affect any other.

Who can mint keys

Only workspace admins can create or revoke API keys. Editors and viewers see the API Keys section but it's read-only for them.

Key visibility

A newly created key's secret is shown exactly once, at creation time. After that, only the prefix (onn_live_a1b2c3…) is visible — enough to identify the key, not enough to use it. Lost the secret? You'll need to revoke and create a new key.