Skip to main content

API Keys for PDPs and Automation

API keys are service identities that let OPA/EOPA instances and automation report decision logs and status to EnforceAuth. They are scoped to an entity and carry explicit permission scopes.

Where to manage keys

LocationRouteUse
Entity detail/entities/:idAPI Keys sectionKeys for a specific system or org
Tenant secrets/secretsAPI Keys tabAll keys across the tenant

Entity detail tabs: Relationships, Configuration, Secrets, API Keys, CI/CD Tokens.

Create an API key

  1. Open the target entity → API Keys.
  2. Click Create API Key.
  3. Complete the form:
FieldRules
Name *Letters, numbers, _, -; must start with a letter; max 255
DescriptionOptional; max 1000
Scopes *At least one; immutable after creation
Expires AtOptional; must be in the future if set

Dialog copy explains the key is for OPA decision log reporting.

Available scopes

UI labelScope valueAllows
Write Decisionsdecisions:writePOST /v1/decisions/logs
Read Decisionsdecisions:readGET /v1/decisions/logs
Write Statusstatus:writePOST /v1/status
Read Statusstatus:readGET /v1/status
Read Policiespolicies:readPolicy index / source file access

Maximum 10 scopes per key.

For standard PDP ingestion, include decisions:write at minimum.

For Kubernetes sidecar fleets with PDP Monitoring, also include status:write — see Kubernetes Control Center.

One-time key display

After creation, the API Key Created dialog shows the full secret once. Copy it immediately — list and detail views show only the Key Prefix.

Store the key in your secrets manager or Kubernetes secret, not in Git.

Wire OPA to EnforceAuth

Use View Config on a key to open PDP Configuration. The template sets:

services:
enforceauth:
url: ${ENFORCEAUTH_URL}/v1
headers:
X-API-Key: ${ENFORCEAUTH_API_KEY}
decision_logs:
service: enforceauth
reporting:
min_delay_seconds: 30
max_delay_seconds: 60

Environment variables:

  • ENFORCEAUTH_URLhttps://api.enforceauth.com or .dev for non-prod
  • ENFORCEAUTH_API_KEY — the key you copied at creation

Point your PDP at this config after deploy so decision logs flow into the console.

List and lifecycle

The API Keys table shows Key Prefix, Name, Scopes, Last Used, and Expires.

Row actions:

  • Edit — change name and description (scopes cannot change)
  • View Config — PDP YAML snippet
  • Revoke — immediate; cannot be undone

Empty state: Create an API key to allow your OPA instances to send decision logs to EnforceAuth.

Rotation

The console has no one-click Rotate action. To rotate:

  1. Create a new key with the same scopes.
  2. Update PDP config with the new secret.
  3. Verify decision logs arrive under Decisions.
  4. Revoke the old key.

The revoke dialog reminds you: create the replacement first, then revoke.

Programmatic rotation is available via the MCP tool ea_rotate_api_key for automation outside the console UI.

Permissions

Managing API keys requires a signed-in console user with api_keys:read / api_keys:write authorization. Keys themselves authenticate PDP traffic — not console sessions.

Verify success

  • Key appears in the entity list with expected scopes
  • PDP config applied with correct ENFORCEAUTH_URL and key
  • Last Used updates after traffic
  • Entries appear on Decisions for the entity's systems
  • Policy Coverage moves from Never evaluated toward Evaluated