> ## Documentation Index
> Fetch the complete documentation index at: https://cockroachlabs.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Create a new API Key

> Can be used by the following roles assigned at the organization scope:
- ORG_ADMIN


<Note>This endpoint is in **Preview** and subject to change. Refer to the [API support policy](https://www.cockroachlabs.com/docs/stable/api-support-policy) for more details.</Note>


## OpenAPI

````yaml /openapi/cloud/latest.json post /api/v1/api-keys
openapi: 3.0.0
info:
  contact:
    email: support@cockroachlabs.com
    name: Cockroach Labs Support
    url: https://support.cockroachlabs.com
  description: An API for managing CockroachDB Cloud resources
  title: CockroachDB Cloud API
  version: '2024-09-16'
servers:
  - url: https://cockroachlabs.cloud
security:
  - Bearer: []
tags:
  - name: SCIM
  - name: Organizations
  - name: Clusters
  - name: Cluster Disruption
  - name: SQL Users
  - name: SQL Privilege Grants
  - name: Databases
  - name: Customer-managed Encryption Keys
  - name: Client CA Certificates
  - name: Cluster SSO
  - name: Log Export
  - name: Metric Export
  - name: Audit Logs
  - name: IP Allowlists
  - name: Egress Rules
  - name: Billing
  - name: Maintenance Windows
  - name: Blackout Windows
  - name: Role Management
  - name: Service Accounts
  - name: API Keys
  - name: Folders
  - name: Version Deferral
  - name: JWT Issuers
  - name: OpenID Connect Configuration
  - name: Private Endpoint Services
  - name: PCI
  - name: Physical Cluster Replication
  - name: Plan Migrations
  - name: Backup/Restore
  - name: Egress Private Endpoints
  - name: Multifactor Authentication
externalDocs:
  description: Use the CockroachDB Cloud API
  url: https://www.cockroachlabs.com/docs/cockroachcloud/cloud-api.html
paths:
  /api/v1/api-keys:
    post:
      tags:
        - API Keys
      summary: Create a new API Key
      description: |
        Can be used by the following roles assigned at the organization scope:
        - ORG_ADMIN
      operationId: CockroachCloud_CreateApiKey
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/CreateApiKeyRequest'
      responses:
        '200':
          description: A successful response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CreateApiKeyResponse'
        '400':
          description: Returned when a request field is invalid.
          content:
            application/json:
              schema: {}
        '401':
          description: Returned when the token bearer cannot be authenticated.
          content:
            application/json:
              schema: {}
        '403':
          description: >-
            Returned when the user does not have permission to access the
            resource.
          content:
            application/json:
              schema: {}
        '404':
          description: Returned when the resource does not exist.
          content:
            application/json:
              schema: {}
        '500':
          description: Server error
          content:
            application/json:
              schema: {}
        default:
          description: An unexpected error response.
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Status'
      x-codeSamples:
        - lang: Shell + Curl
          source: |-
            curl --request POST \
              --url https://cockroachlabs.cloud/api/v1/api-keys \
              --header 'Authorization: Bearer REPLACE_BEARER_TOKEN' \
              --json '{"name":"example name","service_account_id":"1234abcd-1234-1234-abcd-12345678abcd"}'
components:
  schemas:
    CreateApiKeyRequest:
      type: object
      properties:
        name:
          description: The name of the api key.
          type: string
          example: example name
        service_account_id:
          description: The ID of the service account to create the api key for.
          type: string
          format: uuid
          example: 1234abcd-1234-1234-abcd-12345678abcd
      example:
        name: example name
        service_account_id: 1234abcd-1234-1234-abcd-12345678abcd
      required:
        - name
        - service_account_id
    CreateApiKeyResponse:
      type: object
      properties:
        api_key:
          $ref: '#/components/schemas/ApiKey'
        secret:
          description: >-
            The full api key. This is the value that would be passed in the

            Authorization header. It is not stored by the backend and is
            therefore not

            recoverable if lost.
          type: string
          format: password
          example: >-
            CCDB1_12345abcdefGHIJKLMnopq_NkdXLI9d81Mnx3djs45iwPfgtnaRv0XCh0Z9047K
      required:
        - api_key
        - secret
    Status:
      type: object
      properties:
        code:
          format: int32
          type: integer
        details:
          type: array
          items:
            $ref: '#/components/schemas/Any'
        message:
          type: string
    ApiKey:
      type: object
      properties:
        created_at:
          description: the creation time of the api key.
          type: string
          format: date-time
          example: '2022-03-22T20:23:11.285067Z'
        id:
          description: the ID of the api key.
          type: string
          example: CCDB1_12345abcdefGHIJKLMnopq
        name:
          type: string
          example: api key name
          title: the name of the api key
        service_account_id:
          description: the ID of the service account the api key references.
          type: string
          format: uuid
          example: 1234abcd-1234-1234-abcd-12345678abcd
      example:
        created_at: '2022-03-22T20:23:11.285067Z'
        id: CCDB1_12345abcdefGHIJKLMnopq
        name: example name
        service_account_id: 1234abcd-1234-1234-abcd-12345678abcd
      required:
        - id
        - service_account_id
        - name
        - created_at
    Any:
      description: >-
        `Any` contains an arbitrary serialized protocol buffer message along
        with a

        URL that describes the type of the serialized message.


        In its binary encoding, an `Any` is an ordinary message; but in other
        wire

        forms like JSON, it has a special encoding. The format of the type URL
        is

        described on the `type_url` field.


        Protobuf APIs provide utilities to interact with `Any` values:


        - A 'pack' operation accepts a message and constructs a generic `Any`
        wrapper
          around it.
        - An 'unpack' operation reads the content of an `Any` message, either
        into an
          existing message or a new one. Unpack operations must check the type of the
          value they unpack against the declared `type_url`.
        - An 'is' operation decides whether an `Any` contains a message of the
        given
          type, i.e. whether it can 'unpack' that type.

        The JSON format representation of an `Any` follows one of these cases:


        - For types without special-cased JSON encodings, the JSON format
          representation of the `Any` is the same as that of the message, with an
          additional `@type` field which contains the type URL.
        - For types with special-cased JSON encodings (typically called
        'well-known'
          types, listed in https://protobuf.dev/programming-guides/json/#any), the
          JSON format representation has a key `@type` which contains the type URL
          and a key `value` which contains the JSON-serialized value.

        The text format representation of an `Any` is like a message with one
        field

        whose name is the type URL in brackets. For example, an `Any` containing
        a

        `foo.Bar` message may be written `[type.googleapis.com/foo.Bar] { a: 2
        }`.
      type: object
      properties:
        '@type':
          description: >-
            Identifies the type of the serialized Protobuf message with a URI
            reference

            consisting of a prefix ending in a slash and the fully-qualified
            type name.


            Example: type.googleapis.com/google.protobuf.StringValue


            This string must contain at least one `/` character, and the content
            after

            the last `/` must be the fully-qualified name of the type in
            canonical

            form, without a leading dot. Do not write a scheme on these URI
            references

            so that clients do not attempt to contact them.


            The prefix is arbitrary and Protobuf implementations are expected to

            simply strip off everything up to and including the last `/` to
            identify

            the type. `type.googleapis.com/` is a common default prefix that
            some

            legacy implementations require. This prefix does not indicate the
            origin of

            the type, and URIs containing it are not expected to respond to any

            requests.


            All type URL strings must be legal URI references with the
            additional

            restriction (for the text format) that the content of the reference

            must consist only of alphanumeric characters, percent-encoded
            escapes, and

            characters in the following set (not including the outer backticks):

            `/-.~_!$&()*+,;=`. Despite our allowing percent encodings,
            implementations

            should not unescape them to prevent confusion with existing parsers.
            For

            example, `type.googleapis.com%2FFoo` should be rejected.


            In the original design of `Any`, the possibility of launching a type

            resolution service at these type URLs was considered but Protobuf
            never

            implemented one and considers contacting these URLs to be
            problematic and

            a potential security issue. Do not attempt to contact type URLs.
          type: string
      additionalProperties: {}
  securitySchemes:
    Bearer:
      type: http
      scheme: bearer

````