API Keys for PDPs and Automation
API keys are service identities that let OPA/EOPA instances and automation report decision logs and status to EnforceAuth. They are scoped to an entity and carry explicit permission scopes.
Where to manage keys
| Location | Route | Use |
|---|---|---|
| Entity detail | /entities/:id → API Keys section | Keys for a specific system or org |
| Tenant secrets | /secrets → API Keys tab | All keys across the tenant |
Entity detail tabs: Relationships, Configuration, Secrets, API Keys, CI/CD Tokens.
Create an API key
- Open the target entity → API Keys.
- Click Create API Key.
- Complete the form:
| Field | Rules |
|---|---|
| Name * | Letters, numbers, _, -; must start with a letter; max 255 |
| Description | Optional; max 1000 |
| Scopes * | At least one; immutable after creation |
| Expires At | Optional; must be in the future if set |
Dialog copy explains the key is for OPA decision log reporting.
Available scopes
| UI label | Scope value | Allows |
|---|---|---|
| Write Decisions | decisions:write | POST /v1/decisions/logs |
| Read Decisions | decisions:read | GET /v1/decisions/logs |
| Write Status | status:write | POST /v1/status |
| Read Status | status:read | GET /v1/status |
| Read Policies | policies:read | Policy index / source file access |
Maximum 10 scopes per key.
For standard PDP ingestion, include decisions:write at minimum.
For Kubernetes sidecar fleets with PDP Monitoring, also include status:write — see Kubernetes Control Center.
One-time key display
After creation, the API Key Created dialog shows the full secret once. Copy it immediately — list and detail views show only the Key Prefix.
Store the key in your secrets manager or Kubernetes secret, not in Git.
Wire OPA to EnforceAuth
Use View Config on a key to open PDP Configuration. The template sets:
services:
enforceauth:
url: ${ENFORCEAUTH_URL}/v1
headers:
X-API-Key: ${ENFORCEAUTH_API_KEY}
decision_logs:
service: enforceauth
reporting:
min_delay_seconds: 30
max_delay_seconds: 60
Environment variables:
- ENFORCEAUTH_URL —
https://api.enforceauth.comor.devfor non-prod - ENFORCEAUTH_API_KEY — the key you copied at creation
Point your PDP at this config after deploy so decision logs flow into the console.
List and lifecycle
The API Keys table shows Key Prefix, Name, Scopes, Last Used, and Expires.
Row actions:
- Edit — change name and description (scopes cannot change)
- View Config — PDP YAML snippet
- Revoke — immediate; cannot be undone
Empty state: Create an API key to allow your OPA instances to send decision logs to EnforceAuth.
Rotation
The console has no one-click Rotate action. To rotate:
- Create a new key with the same scopes.
- Update PDP config with the new secret.
- Verify decision logs arrive under Decisions.
- Revoke the old key.
The revoke dialog reminds you: create the replacement first, then revoke.
Programmatic rotation is available via the MCP tool ea_rotate_api_key for automation outside the console UI.
Permissions
Managing API keys requires a signed-in console user with api_keys:read / api_keys:write authorization. Keys themselves authenticate PDP traffic — not console sessions.
Verify success
- Key appears in the entity list with expected scopes
- PDP config applied with correct
ENFORCEAUTH_URLand key - Last Used updates after traffic
- Entries appear on Decisions for the entity's systems
- Policy Coverage moves from Never evaluated toward Evaluated
Related guides
- PDP integration
- Deployment patterns
- Application integration
- Decision logs
- Deployments — bundle must be live before decisions matter
- Entity model
- 15-minute quickstart
- API Reference