API key
The API key is a secret key only used for simplified authorization of service accounts with the Yandex Cloud API.
Use API keys if requesting an IAM token automatically is not an option.
Alert
If someone might have gotten access to your private key, delete it and create a new one.
It is the user's responsibility to store the API key. Yandex Cloud provides access to an API key only during its creation. If the key is lost or damaged, you cannot restore it. In which case you can reissue the key or create a new one.
To ensure security and control over access to resources, monitor cases of unauthorized use of keys, and delete unused keys without the risk of disrupting Yandex Cloud services, you can track the dates of last use of service account access keys. You can find this info on the service account page in the management console or in the last_used_at field when using the API to invoke access key management methods.
API keys with scope and validity limits
You can create API keys with an expiration date and a limited scope.
A scope is the total of the actions a service account is allowed to perform with the service's resources. A service can have more than one scope. You cannot use an API key with a specified scope in other services or scopes.
The scope limits the use of API keys in addition to the user's personal access permissions. Configuring scope limits and expiration dates will reduce the risk of unauthorized use of your keys.
Alert
If you do not select a scope, the API key will allow authentication in all services except those that support scope restriction. In the future, all services supporting API key authentication will have scopes of their own.
Available scopes are listed below:
yc.ai.foundationModels.execute: To send requests to AI Assistant API, Image Generation API, Text Generation API, SpeechKit API, Yandex Translate API, and Vision OCR API.yc.ai.imageGeneration.execute: To send requests to image generation models in Yandex Foundation Models via the Image Generation API.yc.ai.languageModels.execute: To send requests to text generation models in Yandex Foundation Models via the Text Generation API.yc.ai.speechkitStt.execute: To recognize speech via the SpeechKit API.yc.ai.speechkitTts.execute: To synthesize speech via the SpeechKit API.yc.ai.translate.execute: To translate text via the Yandex Translate API.yc.ai.vision.execute: To perform optical text recognition via the Vision OCR API.yc.monitoring.manage: To view and write data in Yandex Monitoring via the Monitoring API.yc.monitoring.read: To view data in Yandex Monitoring via the Monitoring API.yc.postbox.send: To send emails via the Yandex Cloud Postbox API.yc.search-api.execute: To send search queries to Yandex Search API.yc.serverless.containers.invoke: To invoke containers via the Serverless Containers API.yc.serverless.functions.invoke: To invoke functions via the Cloud Functions API.yc.ydb.tables.manage: For accessing YDB in PostgreSQL-compatible mode.yc.ydb.topics.manage: For accessing the Kafka API in Yandex Data Streams.
Using an API key
Enter your API key when accessing Yandex Cloud resources via the API. Provide the API key in the Authorization header in the following format:
Authorization: Api-Key <API_key>
Services that support this authentication method
The following services support authentication based on API keys:
- Yandex Cloud Functions
- Yandex DataSphere
- Yandex Monitoring
- Yandex Cloud Postbox
- Yandex Search API
- Yandex Serverless Containers
- Yandex SpeechKit
- Yandex SpeechSense
- Yandex Translate
- Yandex Vision OCR
- Yandex Data Streams: Kafka API.
- Yandex Managed Service for YDB: Only in PostgreSQL-compatible mode. Use a suitable authentication method for other modes.
- Yandex MetaData Hub: Within Yandex Schema Registry.