Managing API keys has always required navigating to the Appwrite Console, selecting scopes, and manually creating each key. For a single project, that works. For teams managing multiple environments, onboarding new services, or provisioning keys as part of automated pipelines, it becomes a bottleneck.
Today, we are announcing the Keys API, allowing you to create, update, and delete API keys programmatically through the Appwrite server SDKs.
This is part of a wider effort to make everything in Appwrite accessible through the API. Our goal is to ensure that any action you can perform in the Appwrite Console can also be done programmatically, giving you full control over your projects through code.
Why this matters
API keys are the foundation of server-side authentication in Appwrite. Every server SDK call, every CLI operation, and every backend integration depends on them. Being able to manage keys from code opens up workflows that were previously manual:
- CI/CD pipelines that provision scoped keys for each deployment environment
- Multi-tenant platforms that create isolated keys per customer with only the scopes they need
- Team onboarding where new services get their own keys automatically
- Key rotation workflows that create a new key, update credentials, and retire the old one without downtime
How it works
The Keys API introduces two new API key scopes:
keys.readfor listing and retrieving API keyskeys.writefor creating, updating, and deleting API keys
Sensitive scopes
The keys.read and keys.write scopes are very sensitive. An API key with keys.write can create new keys with any scope, effectively granting full access to your project. Only assign these scopes to keys used in trusted, secure environments, and never expose them in client-side applications.
The methods live on the Project service, alongside existing project-level operations like environment variables.
Create an API key
import { Client, Project, ID, Scopes } from 'node-appwrite';
const client = new Client()
.setEndpoint('https://<REGION>.cloud.appwrite.io/v1')
.setProject('<PROJECT_ID>')
.setKey('<YOUR_API_KEY>');
const project = new Project(client);
const result = await project.createKey({
keyId: ID.unique(),
name: 'My API Key',
scopes: [Scopes.DatabasesRead, Scopes.DatabasesWrite],
expire: '2026-12-31T23:59:59.000+00:00'
});
Each key is created with a specific set of scopes and an optional expiration date. When no expiration is set, the key remains valid indefinitely.
Update an API key
const result = await project.updateKey({
keyId: '<KEY_ID>',
name: 'Updated Key',
scopes: [Scopes.DatabasesRead, Scopes.DatabasesWrite, Scopes.UsersRead],
expire: '2027-06-30T23:59:59.000+00:00'
});
Use this to adjust scopes as requirements change, or to extend or shorten a key's expiration window.
Delete an API key
await project.deleteKey({
keyId: '<KEY_ID>'
});
Once deleted, the key immediately stops authenticating API calls.
Bootstrap requirement
To use the Keys API, you need an existing API key with the keys.read and keys.write scopes. This initial key must be created through the Appwrite Console. Once you have it, all subsequent key management can be done programmatically.
Full SDK support
The Keys API is available across all Appwrite Server SDKs. Complete code examples for every supported language are available in the API keys documentation.
Get started
The Keys API is available on Appwrite Cloud today.
- Navigate to Overview > Integration > API keys and create an API key with the
keys.readandkeys.writescopes. - Initialize a Server SDK with your API key.
- Use the
Projectservice to manage keys from code.
Full documentation is available on the API keys documentation page.
