OAuth 2.0 Application Programming Interface (API) Keys are opaque tokens used to authenticate requests to access resources. OAuth 2.0 API Keys are long-lived access tokens that can be used to integrate with external third-party applications. In contrast to client credentials, where the Client ID and Secret are used to generate a bearer token, the OAuth 2.0 API Key is an opaque token itself, which means that it does not contain any information within the token. Therefore, it can be directly passed in the Authorization header with a bearer schema to access the resource.
For more information on including this API key in third-party applications, see To use OAuth 2.0 API Keys to make calls for external system integrations.
Note
A maximum of 500 OAuth 2.0 API keys can be created per account.
You can create and manage API keys that utilize the OAuth 2.0 authorization framework using the API Keys tab of the Credentials screen in Global Settings. When creating API keys, you must be mindful of the organization in which you are creating them given that API keys are assigned to the organization in which they are created. This means that APIs called using the API keys will only be able to return objects accessible by the organizational group in which the API keys were created.
API keys that appear on the API Keys tab of the Credentials screen also depend on the organization in which you are currently logged in. For example, say your organizational hierarchy contains a root organization named Global and two child organizations named North America and Europe. If you are currently within the Global organization, you will be able to see all API keys created within the Global, North America, and Europe organizations. However, if you navigate to the North America organization, you will only be able to see API keys created in the North America organization and will not have visibility into API keys created in the Europe organization or Global organization.
Note
When viewing API keys within the root organization, there is currently no way to identify in which organization each API key was created on the API Keys tab of the Credentials screen. However, you can navigate to other sub-organizations to locate specific API keys to determine in which organization it was created. Alternatively, you can incorporate the organization name within the name of the API key to help you identify those details in the future.
To create an OAuth 2.0 API Key
Click the gear icon 
in the upper right-hand corner to access Global Settings.
On the menu, select . The Credentials screen appears.
Navigate to the API Keys tab.
-
Click the Add button. The Enter New API Key Details section on the Create API Key screen appears.
In the Name field, enter a name for the OAuth 2.0 API Key.
Optional: In the Description field, enter a description for the OAuth 2.0 API Key.
-
Optional: In the API Key Lifetime field, select the amount of time that should pass before the OAuth 2.0 API Key expires. The default API Key lifetime is 1 hour, but can be changed. The following options are available:
1 Hour
1 Day
1 Week
1 Month
1 Year
Optional: Turn on the Restrict IP Addresses setting to restrict incoming communication to specific IP addresses. If this setting is enabled, enter an IP address in the Restrict IP Addresses field that appears. You can enter multiple IP addresses by clicking the Add button and entering an additional IP address in the field that appears.
-
Click the Next button. The Select API Scope section appears.
Select one or multiple check boxes to indicate the scope that matches the level of access you want to grant to an application.
-
Click the Create button. The API Key Created section appears.
-
In the Download API Key field, click the Download button. A .txt file containing the OAuth 2.0 API Key will download to your local system.
Warning
The OAuth 2.0 API Key should be saved to a secure location.
Click the Close button.
To edit an OAuth 2.0 API Key
Click the gear icon 
in the upper right-hand corner to access Global Settings.
On the menu, select . The Credentials screen appears.
Go to the API Keys tab.
Click the link in the Name field for the OAuth 2.0 API Key that you want to edit. The API Key Details screen appears.
-
Click the Edit icon. Editable fields become available.
-
Modify the OAuth 2.0 API Key details on the Details tab and the Scope tab, as needed.
Note
The OAuth 2.0 API Key name and lifetime cannot be modified after creation.
Click the Save button.
To delete an OAuth 2.0 API Key
Note
Once an OAuth 2.0 API Key is deleted, the OAuth 2.0 API Key can no longer be used for authorization.
Click the gear icon 
in the upper right-hand corner to access Global Settings.
On the menu, select . The Credentials screen appears.
Go to the API Keys tab.
Hover over the OAuth 2.0 API Key that you want to delete, and click the Context Menu icon 
that appears.
-
On the menu, select . The Delete API Key modal appears.
-
Click the Delete button.
Note
OAuth 2.0 API Keys can also be deleted by clicking the Delete button on the API Key Details screen.
To use OAuth 2.0 API Keys to make calls for external system integrations
Once you've generated the API key, you can use this information to make a call for external system integrations that may communicate with OneTrust OneTrust APIs and integration webhooks. This is achieved in two ways:
-
Include the generated API key parameter in the Authorization Header for third-party application calls.
-
Append the generated API Key as a Query String Parameter to the URL.
https://staging.1trust.ninja/api/datasubject/v2/requestqueues/en-us?Authorization=Bearer+MDc5ZWI5Mzc4ZGMxNDViYzllMzRhYmFlNjZlNWFiMzE6WlVzN002ZGlBZWNtT1FJWDcwZFdzN0NaWUQxNVdQdXV=
Tip
These API keys are not for use in integration workflows to authenticate calls in OneTrust APIs. To make internal calls between OneTrust endpoints or webhooks between OneTrust products and data sources, please use the seeded actions available in the workflow builder. For more information, see Managing Custom Integration Workflows.
