Choose the right API key for the job

Jan Cerman, Daniel Filakovsky

5 minutes

Security / API

Download PDF

0% complete

Some APIs require API keys. API keys are similar to physical keys. You use them to get access to things.With Kontent.ai, you can use multiple API keys to gain access to your projects. Learn to choose the right ones for your purpose.

What API keys are there in Kontent.ai?

To follow the principle of least privilege

, Kontent.ai offers multiple types of API keys for different use cases. This allows you to manage and read content independently without any security impact. Get familiar with the available API keys and their purpose in the following diagram.

Apart from the access token created during sign-in, all the API keys are user-managed.

Which API key to choose?

There are several types of API keys to choose from. The choice of the right one depends on what you need to accomplish.

Criteria	Delivery API key	Management API key	Personal API key	Subscription API key
Create multiple API keys	Yes	Yes	No (one per user per project)	No (one per subscription admin)
Integrations-friendly	Yes (read-only integrations)	Yes	Yes (limited to the owner’s permissions)	Yes (subscription-level integrations)
Limit permissions	No	Yes	Same as owner	Same as owner
Limit environments	Yes	Yes	Same as owner	Same as owner
Preview content	Yes (if configured for preview)	No	No	No
Production-friendly	Yes	Yes (with appropriate permissions)	No	Yes (for subscription-wide operations)
Shareable with other Kontent.ai users	Yes	Yes	No	No
Static permissions	Yes	Yes	No (dynamic)	No (dynamic)

You can use this table as a quick reference.

The key to managing your content

Kontent.ai provides three types of API keys that you can use for content management via API. Each type of API key provides a different level of access to your content and project. Let’s go through them one by one to understand the differences.

Management API keys provide a static set of customizable permissions. This means you can choose what resources can be accessed with the API key. For example, you can limit your Management API key to only allow read access to content items. Once the API key is set up, it allows access based on its permissions until the API key expires.You can have as many Management API keys as you need. We recommend creating unique Management API keys for each integration and environment so that each API key has only the least permissions necessary and not more.

Personal API keys provide a dynamic set of inherited permissions. In other words, the API key has the same permissions as its owner. This means the permissions provided by a Personal API key can change in the future based on the role and access level the API key owner has. Due to Personal API keys being tied to their owner’s permissions, we don’t recommend them for production. You cannot easily limit Personal API keys to the resources you need for a specific scenario. However, they’re fine if you need to test things out in non-production environments.

Subscription API keys are like a more powerful brother of Personal API keys. They also inherit the permissions of their owners, but the owners are subscription admins who can access any project under a subscription.A Subscription API key allows access to the resources available through Management API and Subscription API. This key is your choice if you need to work with users via API. For other API tasks, it’s safer to use a more limited Management API key.

Get content with Delivery API keys

While you can use Management API to read content from your projects, Delivery API is faster for content delivery scenarios and scales better. And there’s just a single type of API key! Delivery API keys provide read access to your published content, the latest unpublished content, or both. This depends on how you set up your Delivery API key. Create as many Delivery API keys as you need. Using multiple Delivery API keys is important to manage your live and preview environments separately. It also helps avoid outages during API key rotation.

API keys aren’t forever

Every first-party and third-party integration has unique security and maintenance requirements. That’s why all user-managed API keys have configurable expiration dates to best fit your needs.The API key expiration is limited to satisfy common security practices and avoid access that never expires.

For Delivery API keys, the default is 12 months, with the maximum expiration time of 5 years.
For Management API-capable API keys, the default is 6 months, with the maximum expiration time of 2 years.

Sign in with your Kontent.ai credentials or sign up for free to unlock the full lesson, track your progress, and access exclusive expert insights and tips!