# API Keys

The API key enables you to directly use HiddenLayer’s API endpoints to get the full AI Security Platform experience.

## Create API Key

1. In the HiddenLayer Console, go to **Settings > API Keys**.
2. Click **+ New**.

3. Enter a name for the API key, select an expiration, then click **Next**.

4. Select the permissions for each category, then click **Create API Key**. You can select a combination of **Read**, **Write**, and **Delete** permissions, or click All to allow all permissions for the selected category.
See the [API Permissions](#api-permissions) and [API Resources](#api-resources) tables below for more information.
Not selecting any permissions will create an API key with all permissions enabled.

5. A unique API key is generated. The `clientID` and `clientSecret` information is displayed. Click on the copy icon and save into a password manager or to a file in a secure location.
It is important to save this information because you cannot retrieve it in the future.

6. After saving this information, click **Close**.


## Expired API Key

When an API key is created, an expiration is set. When an API key expires, it is securely deleted and automatically removed from the Console.

## Delete API Key

1. On the API Keys page, click the three vertical dots for the API key you want to delete.

2. Click **Delete**. A message displays, asking you to confirm deleting the key.

3. Click **Delete**.


## When should I create a new API key?

API keys are highly secure assets and should be treated as such. Below are examples of when new API keys need to be created.  This list is provided as examples based on best practices, and is not exhaustive.  We recommend reviewing your own company policies around such requirements.

| Scenario | Description |
|  --- | --- |
| Security Updates | Create a new API key if you suspect that the current key has been compromised or as part of regular security updates. Regularly rotating API keys is a good security practice. |
| New Team Members or Roles | If a new team member requires access or if there are changes in roles within the team, generating a new API key can help maintain proper access controls. |
| Project or Environment Changes | For different projects or development environments (like staging, production), it's advisable for you to use separate API keys. This helps in tracking and managing access more effectively. |
| After Key Expiration | If the API key has an expiration date, a new key must be created upon its expiry to maintain uninterrupted access to the platform. |
| Policy or Compliance Requirements | You may have organizational policies or compliance standards in place that dictate how often API keys should be rotated or renewed. |
| Lost API Key | API keys are not recoverable. If you forget or lose your API key you must create a new one. |


## API Resources

| Category | Description |
|  --- | --- |
| API Keys | The keys for interacting with the HiddenLayer API. |
| Attack Simulation | Automated security testing for your AI systems. |
| Audit | The user activity in the Console is recorded in the audit log. |
| Detections | A Detection is a grouping of convictions, which are malicious events. |
| Integrations | Integrations with third-party tools, like AWS and Databricks. |
| Interactions | A detection tool that checks whether AI inputs (prompts) and outputs are safe or malicious. |
| Model Inventory | The Model Inventory is for model scans. |
| Model Scanner | The permissions for the AI Runtime Security CLI when deployed in Hybrid Mode. |
| Policies | Allows you to remotely configure your instance of Runtime Security. Create policies and apply them to Projects. |
| Projects | Provides visibility and control into your AI use cases. You can assign a Policy to a Project. |
| Users | Users who have access to the Console. |


## API Permission Related to Products or Features

Some HiddenLayer products require an API key and secret. The following table covers the API Permissions needed for a product deployment or a product feature.

| Product | API Permission | Notes  |
|  --- | --- | --- |
| AI Attack Simulation
 | - Attack Simulation: Read, Write, Delete

 | Permissions needed for AI Attack Simulation.
- Read: Use any `get` or `list` API routes.
- Write: Create a resource (e.g. start a Red Team Evaluation, create a Prompt Set).
- Delete: Delete a resource: Delete

 |
| AI Runtime Security | - Interactions: Read, Write
- Policies: Read
- Projects: Read

 | Permissions needed for Runtime Security. |
| AI Supply Chain Security CLI Hybrid Mode | - Model Inventory: Read, Write
- Model Scanner: Write

 | Permissions needed for Supply Chain CLI deployed in Hybrid Mode, including Community Scan.Hybrid Mode sends scan results to the AI Security Platform. |
| AI Supply Chain Security GitHub Action | - Model Inventory: Read, Write
- Model Scanner: Write

 | These are the only permissions required to scan models using the GitHub Action integration (including Community Scan). No additional permissions are needed. |
| AI Supply Chain Security Azure DevOps Plugin | - Model Inventory: Read, Write
- Model Scanner: Write

 | These are the only permissions required to scan models using the Azure DevOps plugin (including Community Scan). No additional permissions are needed. |
| Integrations | - View Integrations: Read
- Create Integrations: Write
- Delete Integrations: Delete

 | HiddenLayer provides integrations with various third-party products and processes. |
| Interactions SaaS | - Interactions: Read, Write

 | Permissions needed for Interactions. |
| Prompt Analyzer (SaaS) | - Any

 | Only requires an API client ID and secret that are not expired. |
| Single Sign-On (SSO) | - Integrations: Read, Write, Delete

 | These are the permissions required to implement and manage an organization's single sign-on access to the HiddenLayer Console. |