API Keys

Manage authentication credentials for your organization’s API access to Scout.

Overview

API Keys (Org Credentials) let you authenticate API requests to Scout services. Use them as bearer tokens for simple API calls, or as signing keys for more secure integrations.

Org Credentials are the modern successor to Legacy API Keys, offering enhanced security features while maintaining full backward compatibility.

Note: Org Credentials are asymmetric key pairs. When using bearer token authentication, use the private key portion of your Org Credential as the token value. The private key can be viewed in the Scout Studio UI.

Org Credentials vs. Legacy Keys

Legacy Keys continue to work. If you have an existing Legacy Key, you don’t need to migrate immediately—we recommend planning a transition at your convenience.

Creating API Keys

Prerequisites

• Organization admin permissions
• Access to Scout Studio

Steps

1. Navigate to Settings → API Keys in Scout Studio
2. Click Create New Key
3. Enter a descriptive name (e.g., “Production API”, “CI/CD Pipeline”)
4. Click Generate

Your new key is active immediately and ready for use.

Using API Keys

Bearer Token Authentication

Include the key in your request headers:

curl -X GET "https://api.scoutos.com/drive/list" \
  -H "Authorization: Bearer YOUR_API_KEY"

SDK Authentication

Python:

from scoutos import Scout
 
client = Scout(api_key="YOUR_API_KEY")

TypeScript:

import { ScoutClient } from "scoutos";
 
const client = new ScoutClient({ apiKey: "YOUR_API_KEY" });

Environment Variables

For security, store API keys in environment variables rather than hardcoding:

export SCOUT_API_KEY="your-api-key-here"

import os
from scoutos import Scout
 
client = Scout(api_key=os.environ.get("SCOUT_API_KEY"))

import { ScoutClient } from "scoutos";
 
const client = new ScoutClient({ 
  apiKey: process.env.SCOUT_API_KEY 
});

Managing Keys

Enable or Disable a Key

Temporarily disable a key without deleting it:

1. Go to Settings → API Keys
2. Find your key and toggle the Enabled switch

Disabled keys return 401 Unauthorized for all requests. Use this for:

• Suspending access during security events
• Testing key configurations
• Gradual key rotation

Key Rotation

Rotate keys regularly for security:

1. Create a new key
2. Update your applications to use the new key
3. Verify all services work correctly
4. Disable or delete the old key

With multiple keys per organization, you can run old and new keys simultaneously during transition periods.

Deleting Keys

Warning: Deletion is permanent. Any systems using that key will immediately lose access.

To delete:

1. Navigate to Settings → API Keys
2. Click Delete on the key
3. Confirm the deletion

Best Practices

Naming Conventions

Use descriptive names that identify the key’s purpose:

• ✅ production-api-server
• ✅ github-actions-ci
• ✅ internal-microservice
• ❌ key1
• ❌ test

Multi-Key Strategy

Organizations benefit from multiple keys:

This approach enables:

• Independent key rotation per service
• Revoking access for specific services without affecting others
• Audit trail per key usage

Coming Soon

Org Credentials are designed for extensibility. Upcoming features include:

• Scoped Permissions — RBAC-based access control for different services
• Audit Trail — Detailed logs of key usage and changes

Troubleshooting

Migrating from Legacy Keys

If you have existing Legacy Keys:

1. Create new Org Credentials for each use case
2. Update your applications to use the new keys
3. Verify everything works
4. Disable or delete Legacy Keys when ready

Legacy Keys will continue to work indefinitely. Migrate at your own pace—we’ll provide advance notice before any deprecation timeline.

Next Steps

• Drive API Reference — Use API keys with Drive endpoints
• Skills Overview — Configure skills with API keys
• Agent Code Execution — Secure API calls from agent code

Built with ❤️ by Scout OS