# API Keys (/docs/account/api-keys)



API keys in Layers are **organization-scoped partner API keys** — not
per-user personal tokens. Create and manage them at
**Org → Settings → API Keys**. Only organization owners and admins can
create, rotate, or revoke keys.

## Creating a key [#creating-a-key]

1. Click **Create API key**.
2. Give it a name (3–50 characters, e.g. `acme-prod-mcp`).
3. Add an optional note (up to 500 characters) to remind yourself what
   the key is for.
4. Click **Create**.

The plaintext secret is shown **once**. Copy it now — it cannot be
retrieved again.

## Key format [#key-format]

Partner keys have the shape `lp_<env>_<keyid>_<secret>`:

* `env` is `live` or `test`.
* `keyid` is a 16-character uppercase alphanumeric identifier.
* `secret` is a 43-character base64url string (32 bytes of entropy).

Send the full key as a Bearer token on the `Authorization` header to call
the [Partner API](/docs/api).

## Revoking a key [#revoking-a-key]

Click **Revoke** next to a key. Revocation is immediate; any in-flight
request still using the key will fail.

## Rotation [#rotation]

Rotating a key issues a new secret and invalidates the old one. The key ID
and prefix stay the same, so you don't have to re-register anywhere that
refers to the key by ID — only update the secret in your secrets store.

## Rate-limit tiers [#rate-limit-tiers]

Every key is assigned a rate-limit tier. Self-serve keys default to
`standard`; design-partner and partner keys are upgraded by Layers
operators. Per-endpoint-class limits for each tier are documented with the
Partner API.

## Scopes [#scopes]

Scopes (project allow-list, allowed OAuth return domains, tool / resource
subsets) are currently managed by Layers operators via the system-admin
key-issuance endpoint. Self-serve keys start with no scope restrictions
and inherit the default quota.

## Audit [#audit]

Every use of a partner API key is recorded in the partner audit log for
that organization. See [Audit Log](/docs/organizations/audit-log).