API Keys
API keys authenticate requests to the NightPanel backend. They are tied to a workspace and have a role that determines what actions are allowed.
How API Keys Work
Every request to the NightPanel API must include an API key in the X-API-Key header. The server uses this key to:
- Identify the workspace — determine which monitors and data to show
- Check permissions — verify the key's role allows the requested action
Roles
Each API key has a role:
| Role | Can View | Can Create/Edit/Delete | Can Manage Keys |
|---|---|---|---|
| viewer | ✅ | ❌ | ❌ |
| member | ✅ | ✅ | ❌ |
| owner | ✅ | ✅ | ✅ |
Extension API Key
When you log in to the Chrome extension, it automatically creates an API key labeled extension-auto with the owner role. If you log in again, the existing key is rotated (replaced with a new one) for security.
You don't need to manage this key — the extension handles it automatically.
Creating Additional Keys
If you need API access outside the extension (for scripts, integrations, or other tools), you can create additional keys through the API:
curl -X POST https://your-backend/api/keys \
-H "X-API-Key: your-existing-key" \
-H "Content-Type: application/json" \
-d '{"role": "member", "label": "CI pipeline"}'
The response contains the API key — save it immediately, as it's only shown once.
Security
- API keys are hashed before storage — we never store the raw key
- Keys are tied to a single workspace
- You cannot delete the last owner-level key (to prevent lockout)
- Keys do not expire, but you can delete them at any time