> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prem.io/llms.txt
> Use this file to discover all available pages before exploring further.

# API Keys

> Learn how API keys work, how to manage them, and how to use scopes and IP restrictions.

API keys are the primary method of authentication for interacting with our APIs. They are organization-based, permission-scoped, and can be secured with IP restrictions.

<Card title="Create and Manage API Keys" icon="lock" href="https://dashboard.prem.io/api-keys" arrow="true">
  You can generate and manage API keys in your Prem API Dashboard > Developers > API Keys section.
</Card>

## Linked to Organizations

API keys are **issued at the organization level**, not tied to individual users. This means:

* Any action performed using an API key is attributed to the **owning organization**.
* Multiple team members can collaborate using separate keys within the same organization.
* API keys persist independently of individual user accounts.

## Unlimited Keys per Organization

Each organization can create **any number of API keys**, allowing for flexibility across environments, services, or teams.

Common usage patterns include:

* One key per environment (e.g., `development`, `staging`, `production`)
* One key per integration (e.g., billing automation, analytics)
* Temporary keys for CI/CD or testing purposes

## IP Restrictions

To enhance security, API keys can be **restricted to specific IP addresses or subnets**:

* **Supports IPv4**, **IPv6**, and **CIDR notation**
* Requests from unauthorized IPs will be rejected with a `403 Forbidden` error

Example entries:

* `192.168.1.10`
* `2001:0db8::/32`
* `203.0.0.0/8`

<Tip>Use IP allowlists to lock down critical integrations (e.g., production).</Tip>

## Scoped Permissions

Each API key can be limited to a specific set of **scopes**, defining what parts of the API it can access.

You'll be prompted to set these scopes when creating an API Key in the dashboard, if none are specified the API Key will have full permissions.

# API Scopes Reference

| Scope                    | Description                                               |
| ------------------------ | --------------------------------------------------------- |
| `api_keys.read`          | View and list API keys associated with your organization. |
| `chats.completion`       | Access chat completion functionality.                     |
| `tools.execute`          | Execute tools and integrations.                           |
| `files.encrypted.read`   | Read encrypted files.                                     |
| `files.encrypted.create` | Upload encrypted files.                                   |
| `files.encrypted.delete` | Delete encrypted files.                                   |
| `audio.transcription`    | Transcribe audio files to text.                           |
| `audio.translation`      | Translate audio from any language to English.             |

This allows you to enforce **principle of least privilege** and isolate permissions per use case.

<Info>A request made with a key lacking the required scope will return `403 Forbidden`.</Info>

## Best Practices

* **Rotate keys regularly** to minimize exposure
* **Use least privilege**: only assign required scopes
* **Restrict by IP** where possible
* **Avoid sharing keys between environments** or teams

For key management, visit your **Dashboard > API > API Keys**.

Need help? Contact [support](mailto:support@premai.io) or refer to the [Authentication Guide](/recipes/authentication).