Two Types of Credentials
Scout provides two types of API credentials:Org Credentials
The modern, recommended credential type. Asymmetric key pairs you can create in any quantity, name by purpose, enable or disable, and rotate safely.
Legacy Keys
Older single-key credentials that continue to work. Org Credentials replace them with more flexibility and security options.
Org Credentials vs. Legacy Keys
| Feature | Legacy Key | Org Credentials |
|---|---|---|
| Multiple keys per org | No | Yes |
| Enable / disable toggle | No | Yes |
| Key rotation without downtime | No | Yes |
| Named keys | No | Yes |
| Asymmetric key pair | No | Yes |
| Scoped permissions (planned) | No | Yes |
Org Credentials are asymmetric key pairs. When using bearer token authentication, use the private key portion of your Org Credential as the token value. You can view and copy it at any time from Scout Studio.
Creating an API Key
Prerequisites
You need organization admin permissions in Scout Studio to create API keys.Steps
Name your key
Enter a descriptive name that tells you what this key is for six months from now — for example,
prod-api-server, github-actions-deploy, or staging-tests.- Name and assigned role
- Public key — masked by default; use the eye icon to reveal or the copy icon to copy
- Private key — masked by default; use the eye icon to reveal or the copy icon to copy
- Enable / disable toggle — suspend access without deleting the key
- Actions menu (⋮) — rename, rotate, or delete
Using API Keys
Scout API keys support two authentication methods. Both use theAuthorization: Bearer header. Choose based on your security requirements.
| Method | What you send | Best for |
|---|---|---|
| Private key as Bearer token | The private key string directly | Quick scripts, internal tools, local testing |
| Signed JWT | A short-lived JWT signed with the private key | Production integrations, anything that handles sensitive data |
Method 1: Private Key as Bearer Token
Use the private key string exactly as shown in Settings as your Bearer token.Method 2: Signed JWT
Sign a short-lived JWT locally with the private key and send that as the Bearer token. Scout verifies the signature against the stored public key. The private key never leaves your environment.Step 1: Convert the key to PEM format
Scout keys are stored as base64url-encoded DER. Most JWT libraries expect PEM format. Run this conversion once at startup.- Node.js
- Python
Step 2: Sign and send the JWT
- Node.js
- Python
JWT Claims Reference
| Claim | Required | Value |
|---|---|---|
iss | Yes | Must be the string scout |
sub | Yes | Your credential ID, shown in Settings → API Keys |
iat | Yes | Current Unix timestamp in seconds |
exp | No | Expiry Unix timestamp. Maximum 300 seconds after iat. |
kid | Header | RFC 7638 thumbprint of the public key, shown in Settings → API Keys |
Authentication Troubleshooting
| Error | Check |
|---|---|
401 Unauthorized | The key is disabled or deleted. Confirm it is enabled in Settings → API Keys. Verify you are using the private key, not the public key. |
403 Forbidden | The key is valid but lacks permission for this operation. Check the role assigned to the key. |
| JWT parse error | The key needs PEM conversion before use with a JWT library. Follow Step 1 above. |
Managing Keys
Enabling and Disabling a Key
Disable a key temporarily without deleting it — useful for suspending access during a security review or pausing an integration.- Go to Settings → API Keys.
- Find the key and toggle the Enabled switch off.
401 Unauthorized on all requests. Re-enable at any time by toggling it back on.
Rotating Keys
Because Org Credentials support multiple active keys, you can rotate without downtime:Deleting Keys
Deleting a key is permanent. Any service using that key immediately receives401 Unauthorized errors.
- Go to Settings → API Keys.
- Click the Actions menu (⋮) → Delete.
- Confirm the deletion in the dialog.
Security Best Practices
Treat API keys like passwords. Follow these practices to reduce risk:- Never commit keys to source control. Use
.gitignoreto exclude.envfiles. Use tools like git-secrets or pre-commit hooks to scan for accidental commits. - Use one key per service or environment. Separate keys for production, staging, CI/CD, and local development let you revoke access for one system without affecting others.
- Use descriptive names. Names like
prod-api-serverorgithub-actions-deploymake it easy to audit which key is used where. - Rotate keys on a schedule. Quarterly rotation is a reasonable baseline for most teams.
- Disable before you delete. Disabling first lets you confirm no active service depends on a key before permanently removing it.
- Store keys in a secrets manager. Prefer AWS Secrets Manager, GCP Secret Manager, HashiCorp Vault, or Doppler over plain environment files in production.
- Audit access regularly. Review your active keys and remove any that are no longer in use.
Multi-Key Strategy
Use separate keys for each environment and integration:| Key Name | Purpose | Environment |
|---|---|---|
prod-api-server | Main production backend | Production |
prod-cicd | GitHub Actions deployments | Production |
staging-api | Staging and QA testing | Staging |
dev-local | Local development | Development |
Key Management Troubleshooting
| Error | Likely Cause | Solution |
|---|---|---|
401 Unauthorized | Key is disabled, deleted, or copied incorrectly | Confirm the key is enabled in Settings. Re-copy the private key from Scout Studio. |
403 Forbidden | Key doesn’t have permission for this resource | Confirm your organization has access to the feature you are calling. Check the key’s role. |
| Key not appearing in Settings | Session or membership issue | Refresh the page. Verify you are logged into the correct organization. |
| Requests failing after rotation | Old key still in use somewhere | Search your codebase and secrets manager for references to the old key. Check CI/CD environment variables. |
| Private key only shown once | Expected behavior | Scout does not re-display the private key after creation. If lost, create a new key and rotate your applications to use it. |
Migrating from Legacy Keys
Legacy Keys continue to work and Scout will provide advance notice before any deprecation. When you’re ready to migrate:Create new Org Credentials
Create a new Org Credential for each service or use case that currently uses a Legacy Key.
Update your applications
Update your applications and environment variables to use the new private keys.
Upcoming Features
Scoped Permissions will let you restrict a key to specific Scout services or API actions, so a CI/CD key can only trigger workflows and cannot read or delete databases. Audit Trail will provide a time-stamped log of every key creation, rotation, disable, and delete event — useful for compliance reviews and incident response. Both features are in active development.Next Steps
Skills Overview
Configure Skills to authenticate with your API key via the
SCOUT_API_KEY environment variable.Scout MCP
Use your API key to authenticate the Scout MCP server for coding agent access.
API Reference
Full reference for all Scout REST API endpoints you can authenticate with your key.