Which plans support API keys?

API keys are available on Free, Pro, Scale, and Enterprise plans. Group-based permissions require RBAC to be enabled, which requires Scale or higher.

Who can create API keys?

Users with the Admin, Developer, or API Key Manager role can create API keys. All organization keys are visible from the API Keys settings page.

How are API key permissions determined?

A key inherits all permissions from the group it is assigned to at creation time. The group's rules define exactly what the key can access.

What expiration options are available?

When creating a key you set its expiration, including the option for it to never expire. Choose based on your security policy and the sensitivity of what the key can access.

Can I see the key value after creation?

No. The API key is displayed once immediately after creation. After you navigate away, it cannot be retrieved. Store it securely before closing the dialog.

What is the SCIM permission on API keys?

The SCIM permission allows the key to be used as the authorization header for a SCIM integration with an identity provider like Okta. It is a separate permission enabled during key creation, available on Enterprise plans.

API Keys for GraphQL Automation | Cosmo by WunderGraph

The problem

Automation credentials are often over-privileged

When API keys can't be scoped, the easiest option is to give them admin access. That works until the key is leaked, the pipeline changes, or the audit comes.

Automation runs with admin permissions

Without scoped keys, CI/CD pipelines receive the same access as a human administrator. One compromised key can affect the entire platform.

Keys never expire and can't be audited

Long-lived keys without expiration policies accumulate over time. When a system is decommissioned or a team changes, old keys remain active with no easy way to find them.

Different access models for users and services

When API keys are managed separately from user permissions, the two systems drift apart. Service accounts end up with access that doesn't match what a human in the same role would have.

Our solution

Scoped keys through the groups system

Every API key is assigned to a group at creation time. Group rules define exactly what the key can access — the same rules that govern human users. Set an expiration policy. Rotate without changing group assignments.

From creation to use

Create an API key in Cosmo Studio with a name and a configurable expiration, including the option to never expire.
Assign the key to a group at creation time. The key inherits all permissions from that group's rules.
Copy the key immediately — it is displayed only once.
Store the key in your CI/CD secrets, configure the wgc CLI, or use it in automation scripts.
For SCIM integration, enable the SCIM permission on the key separately during creation.
View all organization keys in one place. Admin, Developer, and API Key Manager roles can create keys.

Create once, use everywhere. Rotate by creating a new key in the same group.

API Keys

Before & After

Before Cosmo	With Cosmo
All-or-nothing API key access	Group-based granular permissions per key
No expiration management	Configurable expiration, including non-expiring keys
Separate access model for users and service accounts	Unified groups for both humans and API keys
No record of what each key can access	Permissions visible via group assignment

Integration

Works with your existing tools

wgc CLI: Use the key with the WunderGraph Cosmo CLI for local development and automation scripts.
CI/CD platforms: Store the key as a secret in GitHub Actions, GitLab CI, Jenkins, or any other pipeline platform.
SCIM integration: For identity provider automation, create a key with SCIM permission enabled and use it as the SCIM authorization header.

How Cosmo API Keys work

01

Flexible expiration options.

Create

Open API Keys in your organization settings. Click New API Key. Enter a name and select an expiration, including the option to never expire.

02

Group-inherited permissions.

Assign to group

Select the group the key belongs to. The key inherits all permissions from that group's rules — the same model used for organization members.

03

Shown only once.

Copy once

After generation, the key is displayed once. Copy it and store it securely in your CI/CD platform, environment variables, or secrets manager.

04

Rotate without access changes.

Use and rotate

Use the key with the wgc CLI or any HTTP client. When the key approaches expiration or needs rotation, create a new key assigned to the same group.

What's included

Secure automation on every plan

Available on Free, Pro, Scale, and Enterprise.

Group-scoped permissions

Each key inherits permissions from its assigned group. The same group rules that apply to users apply to API keys. One model, no divergence.

Configurable expiration

Set keys to expire after a configurable period, or never. Match the expiration to the risk profile of the system using the key.

One-time display

Keys are shown once at creation. Store the value immediately in your secrets manager. If lost, create a new key — the old one cannot be retrieved.

Centralized visibility

All organization API keys are visible from one settings page, showing the name, creator, expiration, and group assignment for each key.

Create your first scoped API key

Sign up for free and create group-scoped keys for your pipelines in minutes.

Start Free Read the Docs

Give your pipelines exactly the access they need