API Keys
Create and manage API keys for programmatic access to your Kemon workspace.
API keys authenticate external applications — including MCP clients — to interact with your workspace programmatically. Manage keys from Settings > Developer (admin or owner role required).
Key types
Private keys
Prefixed with sk_. Used for server-side access and MCP tool calls. Private keys are hashed before storage. An encrypted copy is also stored so the key can be revealed later from the key list.
Public keys
Prefixed with pk_. Designed for client-side applications with domain restrictions. Public keys have limited access and are safe to include in browser-based code.
Environments
Each key belongs to one environment:
- Production — works on your secured domains (e.g.
sk_abc123...) - Test — restricted to
localhostfor local development (e.g.sk_test_abc123...)
Test keys include a test_ infix after the type prefix.
Scopes
Private keys use scopes to control which MCP tools are available. Select scopes when creating a key or edit them later.
| Resource | Read scope | Write scope |
|---|---|---|
| Tickets | tickets:read | tickets:write |
| Projects | projects:read | projects:write |
| Teams | teams:read | — |
| Labels | labels:read | labels:write |
| Members | members:read | — |
Full access
Leaving all scopes unchecked when creating a key grants unrestricted access to every tool.
Reserved scopes
projects:write and labels:write are available when creating keys but are not currently
required by any MCP tool. They are reserved for future tools.
Expiration
Keys can be set to expire after 30, 60, 90, 180, or 365 days, or never. The default is 90 days. Expired keys stop working immediately — rotate keys before their expiration date to avoid disruption.
Managing keys
Creating a key
- Go to Settings > Developer
- Click Create API Key
- Choose the key type (private or public), environment, name, expiration, and scopes
- Copy the key immediately — private keys cannot be retrieved again after this step
Copy your private key
Private keys are shown once at creation. If you lose it, revoke the key and create a new one.
Revealing a private key
If a key was created with encrypted storage, you can reveal it from the key list. Click the masked key value to copy the full key.
Renaming a key
Open the actions menu on any key row and select Rename to update the display name.
Editing scopes
Open the actions menu on a private key and select Edit Scopes to change which MCP tools the key can access. At least one scope is required.
Revoking a key
Open the actions menu and select Revoke. This permanently deactivates the key — revoked keys cannot be restored.
Security best practices
- Store keys in environment variables — never commit them to source control
- Use test keys for development — avoid using production keys locally
- Apply least-privilege scopes — only grant the scopes your integration needs
- Rotate keys before expiration — create a replacement key, update your integration, then revoke the old one
- Revoke unused keys — deactivate keys for integrations that are no longer active