API key
The API key is a secret key only used for simplified authorization of service accounts with the Yandex Cloud API.
Use API keys if requesting an IAM token automatically is not an option.
Alert
If someone might have gotten access to your private key, delete it and create a new one.
It is the user's responsibility to store the API key. Yandex Cloud provides access to an API key only during its creation. If the key is lost or damaged, you cannot restore it. In this case, you can reissue the key or create a new one.
To ensure security and control over access to resources, monitor cases of unauthorized use of keys, and delete unused keys without the risk of disrupting Yandex Cloud services, you can track the dates of last use of service account access keys. You can find this info on the service account page in the management console or in the last_used_at field when using the API to invoke access key management methods.
API keys with scope and validity limits
When creating an API key, you can specify one or more scopes.
A scope is the total of the actions a service account is allowed to perform with the service's resources. A service can have more than one scope. You cannot use an API key with specified scopes in other services or scopes.
The scope limits the use of API keys in addition to the service account's personal access permissions.
Additionally, when creating an API key, you can limit its validity period. You can reduce the risk of unauthorized use of your keys by configuring their scope limits and validity periods.
Available scopes are listed below:
yc.ai.foundationModels.execute: To send requests to AI Assistant API, Image Generation API, Text Generation API, SpeechKit API, Yandex Translate API, and Vision OCR API.yc.ai.imageGeneration.execute: To send requests to image generation models in Yandex Foundation Models via the Image Generation API.yc.ai.languageModels.execute: To send requests to text generation models in Yandex Foundation Models via the Text Generation API.yc.ai.speechkitStt.execute: To recognize speech via the SpeechKit API.yc.ai.speechkitTts.execute: To synthesize speech via the SpeechKit API.yc.ai.translate.execute: To translate text via the Yandex Translate API.yc.ai.vision.execute: To perform optical text recognition via the Vision OCR API.yc.monitoring.manage: To view and write data in Yandex Monitoring via the Monitoring API.yc.monitoring.read: To view data in Yandex Monitoring via the Monitoring API.yc.postbox.send: To send emails via the Yandex Cloud Postbox API.yc.search-api.execute: To send search queries to Yandex Search API.yc.serverless.containers.invoke: To invoke containers via the Serverless Containers API.yc.serverless.functions.invoke: To invoke functions via the Cloud Functions API.yc.ydb.tables.manage: For accessing YDB in PostgreSQL-compatible mode.yc.ydb.topics.manage: For accessing the Kafka API in Yandex Data Streams.
When creating an API key in the management console, scope is a required parameter. When creating an API key using the Yandex Cloud CLI, Terraform, or API, scope is optional. If you do not specify a scope for the new API key, it will get the following scopes by default:
yc.ai.imageGeneration.executeyc.ai.languageModels.executeyc.ai.speechkitStt.executeyc.ai.speechkitTts.executeyc.ai.translate.executeyc.ai.vision.executeyc.monitoring.manageyc.search-api.executeyc.serverless.containers.invokeyc.serverless.functions.invoke
Using an API key
Enter your API key when accessing Yandex Cloud resources via the API. Provide the API key in the Authorization header in the following format:
Authorization: Api-Key <API_key>
Services that support this authentication method
The following services support authentication based on API keys:
- Yandex Cloud Functions
- Yandex DataSphere
- Yandex Monitoring
- Yandex Cloud Postbox
- Yandex Search API
- Yandex Serverless Containers
- Yandex SpeechKit
- Yandex SpeechSense
- Yandex Translate
- Yandex Vision OCR
- Yandex Data Streams: Kafka API.
- Yandex Managed Service for YDB: Only in PostgreSQL-compatible mode. Use a suitable authentication method for other modes.
- Yandex MetaData Hub: Within Yandex Schema Registry.