> ## Documentation Index
> Fetch the complete documentation index at: https://docs.codeqr.io/llms.txt
> Use this file to discover all available pages before exploring further.
# API keys
> Learn how API keys work on CodeQR.
API keys on CodeQR allow you to access your project programmatically. This is useful for integrating CodeQR into your application or with other tools and services.
Each API key is tied to a specific project – meaning you can use it to access that project's resources without having to worry about "leaking" access to other projects.
API keys on CodeQR follow the format:
```bash .env theme={null}
CODEQR_API_KEY=codeqr_xxxxxxxx
```
By default, you can use this key to perform any API request without restriction, so it must be stored securely in your app's server-side code (such as in an environment variable or credential management system). Don’t expose this key on a website.
## Create an API key
You can create an API key by following these steps:
Go to **Settings** > [**API Keys**](https://app.codeqr.io/settings/tokens) in your project.
Click on the "Create" button and select permissions you want to grant to
the API key.
Select between "You" and "Machine" to associate the API key with your account or a [machine user](#machine-users).
* **You**: This API key is tied to your user and can make requests against the selected project.
* **Machine**: A machine user will be added to your project, and an API key associated with that machine user will be created.
Click on the **Create API Key** button to create the key. Make sure to copy your API key and store it in a safe place. You won't be able to see it again.
Now that you have your API key, you can use it to access your project's resources programmatically via SDKs or within any API request as a bearer token.
```
Authorization: Bearer codeqr_xxxx
```
We recommend creating API keys with the least privilege necessary to perform
the required tasks. This helps to reduce the risk of unauthorized access to
your project.
## API key permissions
When creating a secret key, you can select the permissions it has, which will give the key access to certain (or all) resources on CodeQR. Here are the different permission options:
| Permission | Description |
| :------------------ | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **All permissions** | This API key will have full access to all resources. |
| **Read only** | This API key will have read-only access to all resources. |
| **Restricted** | This API key will have restricted access to some resources: - [Links](/data-model#links)
- [Analytics](/api-reference/endpoint/retrieve-analytics)
- [Domains](/data-model#domains)
- [Tags](/data-model#tags)
|
Depending on your use case, you might want to use one of these 3 options to limit the scope of the API key and improve security. When making API calls, if your API key has insufficient permissions, the error should tell you which permissions you need.
You can only set permissions on Secret keys. Publishable keys only have access
to certain endpoints, and cannot be restricted.
## Machine users
On CodeQR, you can create API keys that are associated with a "Machine user". This is particularly helpful when you don't want to associate the API key with a particular user in your project, to avoid security risks in involving turnover or changes in project ownership.
Machine users share the same permissions as the [owner
role](https://codeqr.io/help/article/project-roles#owner-role) in a project.
Make sure to only create machine users for trusted applications.
These machine users will show up on your project's **People** tab, but will not contribute to your project's user count.
If you delete an API key associated with a machine user, the machine user will
be deleted. Vice versa, if you delete a machine user, their corresponding API
key will be deleted as well.