Skip to content

API Keys

View as Markdown

Daytona API keys authenticate requests to the Daytona API. They are used by the Daytona SDKs and CLI to access and manage resources in your organization.

Create API keys to authenticate Daytona SDKs, API, and CLI requests.

  1. Go to Daytona Dashboard ↗
  2. Click Create Key
  3. Enter the name of the API key, set the expiration date, and select permissions
  4. Click Create
  5. Copy the API key to your clipboard and use it to authenticate requests

Use your API key to authenticate Daytona SDKs, API, and CLI requests.

Daytona supports multiple configuration methods, in order of precedence:

  1. Configuration in code
  2. Environment variables
  3. .env file
  4. Default values
VariableDescription
DAYTONA_API_KEYYour Daytona API key
Required
DAYTONA_API_URLURL of the Daytona API
Default: https://app.daytona.io/api
DAYTONA_TARGETTarget region for sandboxes
Regions: us, eu
DAYTONA_ORGANIZATION_IDYour organization ID
Required when authenticating with a JWT token
DAYTONA_JWT_TOKENJWT token from daytona login
Used for programmatic account-level operations
Terminal window
DAYTONA_API_KEY=YOUR_API_KEY
DAYTONA_API_URL=https://app.daytona.io/api
DAYTONA_TARGET=us
Terminal window
export DAYTONA_API_KEY=YOUR_API_KEY
export DAYTONA_API_URL=https://app.daytona.io/api
export DAYTONA_TARGET=us
from daytona import Daytona, DaytonaConfig
# Using environment variables
daytona = Daytona()
# Using explicit configuration
config = DaytonaConfig(
api_key="YOUR_API_KEY",
api_url="https://app.daytona.io/api",
target="us",
)
daytona = Daytona(config)

JWT tokens are used to authenticate account-level operations with the Daytona API.

Every JWT-authenticated request must include the X-Daytona-Organization-ID header set to your organization ID. JWT tokens expire after a short period.

  1. Run daytona login
  2. Select Login with Browser
  3. Complete the sign-in in your browser
  4. The CLI saves the access token to config.json in the Daytona config directory

Daytona resolves the config directory from the $DAYTONA_CONFIG_DIR environment variable. If the variable is not set, Daytona uses the daytona folder inside your OS user config directory: ~/.config/daytona on Linux and ~/Library/Application Support/daytona on macOS. The active profile stores the token in the api.token.accessToken field.

ResourceScopeDescription
Sandboxeswrite:sandboxesCreate/modify sandboxes
delete:sandboxesDelete sandboxes
Snapshotswrite:snapshotsCreate/modify snapshots
delete:snapshotsDelete snapshots
Registrieswrite:registriesCreate/modify registries
delete:registriesDelete registries
Volumesread:volumesView volumes
write:volumesCreate/modify volumes
delete:volumesDelete volumes
Auditread:audit_logsView audit logs
Regionswrite:regionsCreate/modify regions
delete:regionsDelete regions
Runnersread:runnersView runners
write:runnersCreate/modify runners
delete:runnersDelete runners
API Keysmanage:api_keysCreate, list, and delete API keys using an API key
Secretsmanage:secretsCreate, update, and delete secrets

List API keys for the current user or organization.

When authenticated with a JWT, organization owners see all keys in the organization and other users see only their own keys. When authenticated with a manager API key, the response is limited to keys that manager key created. See Managed API keys.

Terminal window
curl 'https://app.daytona.io/api/api-keys' \
--header 'X-Daytona-Organization-ID: YOUR_ORGANIZATION_ID' \
--header 'Authorization: Bearer YOUR_JWT_TOKEN'

Get details of the API key used to authenticate the current request.

Terminal window
curl 'https://app.daytona.io/api/api-keys/current' \
--header 'X-Daytona-Organization-ID: YOUR_ORGANIZATION_ID' \
--header 'Authorization: Bearer YOUR_API_KEY'

Get a single API key by name.

Terminal window
curl 'https://app.daytona.io/api/api-keys/my-api-key' \
--header 'X-Daytona-Organization-ID: YOUR_ORGANIZATION_ID' \
--header 'Authorization: Bearer YOUR_JWT_TOKEN'

Delete an API key.

The key is revoked immediately and cannot be recovered.

  1. Go to Daytona Dashboard ↗
  2. Click Revoke next to the API key you want to delete
  3. Confirm the revocation
Terminal window
curl 'https://app.daytona.io/api/api-keys/my-api-key' \
--request DELETE \
--header 'X-Daytona-Organization-ID: YOUR_ORGANIZATION_ID' \
--header 'Authorization: Bearer YOUR_JWT_TOKEN'

Delete an API key for a specific user.

This endpoint requires JWT authentication and is available to the key or organization owner.

Terminal window
curl 'https://app.daytona.io/api/api-keys/{userId}/my-api-key' \
--request DELETE \
--header 'X-Daytona-Organization-ID: YOUR_ORGANIZATION_ID' \
--header 'Authorization: Bearer YOUR_JWT_TOKEN'

Contact Daytona to enable this feature for your organization.

Daytona provides Managed API keys to create and manage API keys programmatically. Managed API keys let a manager key mint, list, and delete child API keys without a JWT session.

A manager key is an API key with the manage:api_keys permission. Use this when an application or service needs to issue scoped keys to tenants or workloads at runtime.

When authenticated with a manager key:

  • child key permissions must be a subset of the manager key’s permissions
  • a manager key can only list and delete keys it created; it cannot access other keys
  • child keys cannot manage other keys unless you explicitly grant them manage:api_keys

Create a manager key.

  1. Go to Daytona Dashboard ↗
  2. Click Create Key
  3. Enter the key name, set the expiration date, and enable Manage API keys
  4. Select the resource scopes child keys may use
  5. Click Create
  6. Copy the API key to your clipboard
Terminal window
curl 'https://app.daytona.io/api/api-keys' \
--request POST \
--header 'X-Daytona-Organization-ID: YOUR_ORGANIZATION_ID' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer YOUR_JWT_TOKEN' \
--data '{
"name": "Manager Key",
"permissions": ["manage:api_keys", "write:sandboxes", "delete:sandboxes"]
}'

Create a child key.

Terminal window
curl 'https://app.daytona.io/api/api-keys' \
--request POST \
--header 'X-Daytona-Organization-ID: YOUR_ORGANIZATION_ID' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer YOUR_MANAGER_API_KEY' \
--data '{
"name": "tenant-a-key",
"permissions": ["write:sandboxes", "delete:sandboxes"]
}'

The response includes the full child key value. Store it immediately. After creation, only a masked value is available when listing keys.

List child keys.

Terminal window
curl 'https://app.daytona.io/api/api-keys' \
--header 'X-Daytona-Organization-ID: YOUR_ORGANIZATION_ID' \
--header 'Authorization: Bearer YOUR_MANAGER_API_KEY'

Delete a child key.

  1. Authenticate with the manager key

  2. Send a DELETE request to /api-keys/{name}

    A manager key can only delete keys it created

Terminal window
curl 'https://app.daytona.io/api/api-keys/tenant-a-key' \
--request DELETE \
--header 'X-Daytona-Organization-ID: YOUR_ORGANIZATION_ID' \
--header 'Authorization: Bearer YOUR_MANAGER_API_KEY'