Authentication & Scopes
The Skycloak API uses API keys for authentication. Each key is scoped to a workspace and granted a set of scopes that control which operations it can perform.
API Keys
Creating an API Key
- Log in to your Skycloak dashboard
- Navigate to Settings → API Keys
- Click Create API Key
- Give it a name and select the required scopes
- Copy the key immediately. It won’t be shown again
Using an API Key
Pass your API key in the API-Key request header on every request:
curl https://api.skycloak.io/clusters \
-H "API-Key: $SKYCLOAK_API_KEY" \
-H "API-Version: 2026-06-01.beta"Key Lifecycle
API keys can have the following statuses:
| Status | Description |
|---|---|
active |
Key is valid and can be used |
revoked |
Key has been manually revoked |
expired |
Key has passed its expiry date |
Keys can be revoked or rotated at any time from the dashboard or via the API.
Rotating an API Key
Rotating a key generates a new secret and immediately invalidates the old one — there is no grace period.
Security Best Practices
- Principle of least privilege — grant only the scopes your integration actually needs
- Rotate regularly — rotate keys on a schedule or whenever team members with access leave
-
Use expiry dates — set
expires_aton short-lived integrations so keys expire automatically - Never share keys — each integration or CI/CD pipeline should use its own dedicated key
- Revoke immediately — if a key is compromised, revoke it right away
OAuth 2.0 Client Credentials
The Skycloak Public API itself authenticates with API keys (the API-Key header described above). Use API keys for all Skycloak API integrations.
OAuth 2.0 client credentials come into play one level down, for automating the contents of your own Keycloak. Each cluster has a per-cluster automation client that your tooling (Terraform, CI/CD, scripts, MCP servers, AI agents) uses with the client credentials grant to manage realms, clients, users, and roles inside your Keycloak. That is a separate credential from your Public API key. See Automating your Keycloak.
Scopes
Scopes control which operations an API key can perform. Follow the principle of least privilege — only grant the scopes your integration actually needs.
Write scopes imply their read counterpart. For example, clusters:write automatically grants clusters:read.
Available Scopes
See the Settings > API Keys for the full list of available scopes and their descriptions.
Insufficient Scope Errors
If a request is made with a key that lacks the required scope, the API returns 403 Forbidden:
{
"type": "https://skycloak.io/docs/api/errors#forbidden",
"title": "Forbidden",
"detail": "API key does not have the required scope: clusters:write",
"status": 403
}See Error Handling for more detail on error responses.