Managing the user API key

Certain operations require an API key for secure authorization. You can generate and rotate a user API key as needed to help ensure that your operations run smoothly.

User API key overview

Operations that are running within services on the platform require an API key for authorization. A valid API key is required for the following long-running tasks:

  • Model training in watsonx.ai Runtime
  • Problem solving with Decision Optimization
  • Pipelines
  • Other runtime services that accept API key references
  • Data cleansing and validation with Data Refinery

Jobs require an API key for authorization. An API key is used for jobs when:

  • Creating a job schedule with a predefined key
  • Updating the API key for a scheduled job
  • Providing an API key for an ad hoc job

User API keys give control to the account owner to secure and renew credentials, thus helping to ensure that operations run without interruption. Keys are unique to the IBMid and account. If you change the account you are working in, you must generate a new key.

Required roles
IAM Platform role: Admin or Account owner

Limitations:

  • If you're logged in through a trusted profile, depending on the profile settings, you might not have the option to generate or rotate API keys. Instead, you must use an API key that was generated by one of the static members of the profile. For more information, see Overview for setting up trusted profiles.

Accessing the list of API keys

Important: You can't view the actual API key this way. For security reasons, an API key is visible only immediately after creation.

To view the list of API keys:

  1. Click your avatar and select Profile and settings to open your account profile.
  2. Select User API key to view the active and phased out keys.

Creating an API key

To create an API key:

  1. Click your avatar and select Profile and settings to open your account profile.
  2. Select User API key.
  3. Click Create a key.

A new key is created in Active state. The key automatically authorizes operations that require a secure credential.

Important: Do not forget to copy and save your API key in a secure location as soon as you create it. For security reasons, an API key is visible only immediately after creation.
Note:

If the platform that you are working on is deployed on IBM Cloud, the user API key is also stored in IBM Cloud. You can view the user API keys for your IBM Cloud account at API keys. On AWS, you don't have access to your user API keys from the IBM SaaS console.

Rotating an API key

Important: API Keys in AWS expire every 365 days. If administrators let the API key expire, the service ID that the service uses will no longer be able to perform tasks. For example, data product deliveries will not work in Data Product Hub. To avoid service disruption, rotate your API key before it expires.

If the API key becomes stale or invalid, you can generate a new active key for use by all operations.

To rotate a key:

  1. Click your avatar and select Profile and settings to open your account profile.
  2. Select User API key to view the active and phased out keys.
  3. Click on Rotate.

When you rotate a key, a new key is created in Active state and the existing key is changed to Phased out state. A phased out key is not used for authorization and can be deleted.

Deleting a phased out API key

Warning: Deleting keys might cause running operations to fail.

To delete a phased out key:

  1. Click your avatar and select Profile and settings to open your account profile.
  2. Select User API key to view the active and phased out keys.
  3. Click the minus sign that is located next to your phased out key.

Deleting all API keys

Warning: Deleting keys might cause running operations to fail.

To delete all API keys:

  1. Click your avatar and select Profile and settings to open your account profile.
  2. Select User API key to view the active and phased out keys.
  3. Click the trash can icon.

Learn more: