Manage Secret API Keys in Medusa Admin

In this guide, you'll learn how to create and manage secret API keys in the Medusa Admin.

Note: This guide is mainly useful for developers and technical teams building customizations for a Medusa application.

What is a Secret API Key?#

A secret API key is an authentication token that allows you to access Medusa's Admin APIs. You can pass it in request headers to send requests as an authenticated admin user. So, it's important to not expose the secret API key in client-side code or public repositories.

To learn how to pass the secret API key in request headers, refer to the API Reference.

View Secret API Keys#

To view the secret API keys of the currently logged-in user in the Medusa Admin, go to Settings -> Secret API Keys.

Here, you can see a list of all the secret API keys for the logged-in user. You can also search, filter, and sort the API keys to find the one you are looking for.

Secret API keys list

Create Secret API Key#

When you create a secret API key, you create it for the currently logged-in user. A user can have one active secret key at a time. So, if you already have one, you must revoke it before creating a new one.

To create a new secret API key for the currently logged-in user:

Go to Settings -> Secret API Keys.
Click the Create button at the top right.
In the form that opens, enter the secret API key's title.
Once you're done, click the Save button.
You'll get a pop-up with the secret API key. Copy it and store it securely before closing the pop-up, as you won't be able to see it again.

Create secret API key form

View Secret API Key Details#

To view the details of a secret API key:

Go to Settings -> Secret API Keys.
Click on a secret API key from the list.

This opens the secret API key's details page where you can also manage the API key.

Secret API key details page

Secret API Key Status#

You can see the status of the secret API key at the top right of the first section in the details page. A secret API key's status can be:

Status	Description
Active	The API key is active and can be used in requests.
Revoked	The API key has been revoked and can't be used in requests.

Edit Secret API Key#

To edit a secret API key:

Go to the secret API key's details page.
Click the at the top right of the first section.
Choose "Edit" from the dropdown.
In the side window that opens, you can edit the secret API key's title.
Once you're done, click the Save button.

Edit secret API key form

Revoke Secret API Key#

Warning: Revoking a secret API key is irreversible. You can't use the key in requests after revoking it or reactivate it.

To revoke a secret API key:

Go to the secret API key's details page.
Click the at the top right of the first section.
Choose "Revoke API key" from the dropdown.
Confirm revoking the API key by clicking the "Revoke API key" button in the pop-up.

Delete Secret API Key#

Warning: Deleting a secret API key is irreversible.

You can only delete a secret API key after revoking it. To delete a secret API key:

Go to the secret API key's details page.
Click the at the top right of the first section.
Choose "Delete" from the dropdown.
Confirm deleting the API key by clicking the Delete button in the pop-up.

Was this guide helpful?

Edit this page