How to Grant API Key Access in Login Policies

Last updated: July 8, 2025

When setting up access controls for API keys in your Login Policy, there are two main approaches you can use:

Method 1: Direct API Key Reference

You can directly reference the API key ID in your login policy using this syntax:

allow {    
    input.session.login == "api::<api_id>"  
}   

space_read["spaceid"] {      
    input.session.login == "api::<api_id>"  
}

Method 2: Using Groups

Alternatively, you can assign API keys to groups and reference those groups in your login policy:

  1. When creating the API key, specify the group in the creation form

  2. Reference that group in your login policy

If your group-based policy isn't working as expected, use the policy simulator to check the sampled input and verify the group assignment is being properly referenced in the login attempts.

Both methods are valid approaches to managing API key access. Choose the one that best fits your security requirements and organizational structure.