> ## Documentation Index
> Fetch the complete documentation index at: https://sentrydocs.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# API Keys

> Generate and manage authentication tokens for the Sentry API

Sentry provides several types of authentication credentials. Use the right type for your use case to follow the principle of least privilege and make token rotation easier.

<Warning>
  Treat tokens like passwords. Never commit them to source control, include them in client-side code, or share them in chat. If a token is exposed, revoke it immediately and generate a new one.
</Warning>

## Token types

<CardGroup cols={2}>
  <Card title="Auth token" icon="user">
    A personal token tied to your user account. Use for scripts, local tooling, or CI pipelines where you want actions attributed to you.
  </Card>

  <Card title="Organization auth token" icon="building">
    A token tied to the organization, not an individual user. Use for CI/CD pipelines, automated tooling, and integrations where a specific person shouldn't own the credential.
  </Card>
</CardGroup>

<Note>
  DSNs (Client Keys) are used only for SDK initialization — they allow your application to send events to Sentry. They are not API tokens and cannot be used to call the Sentry REST API.
</Note>

## Auth tokens (user tokens)

Auth tokens are scoped to your user account. Any API action performed with this token is attributed to you.

### Creating an auth token

<Steps>
  <Step title="Open API token settings">
    Go to **User Settings > API Tokens**.
  </Step>

  <Step title="Create a new token">
    Click **Create New Token**.
  </Step>

  <Step title="Select scopes">
    Choose only the scopes your use case requires. See the scope reference below.
  </Step>

  <Step title="Copy your token">
    Copy the token immediately. Sentry will not show it again after you leave this page.
  </Step>
</Steps>

## Organization auth tokens

Organization auth tokens are not tied to any individual user, which means they keep working when team members leave. They can optionally be scoped to a single organization.

### Creating an organization auth token

<Steps>
  <Step title="Open organization auth token settings">
    Go to **Settings > Auth Tokens**.
  </Step>

  <Step title="Create a new token">
    Click **Create New Token** and give it a descriptive name (for example, `ci-release-upload`).
  </Step>

  <Step title="Select scopes">
    Choose the scopes required for your use case. Organization auth tokens use the same scope list as user auth tokens.
  </Step>

  <Step title="Copy your token">
    Copy the token immediately. Sentry will not show it again after you leave this page.

    Organization auth tokens start with the prefix `sntrys_`.
  </Step>
</Steps>

## Scope reference

Assign the minimum set of scopes your integration needs.

<AccordionGroup>
  <Accordion title="Project scopes">
    | Scope                  | Access                                   |
    | ---------------------- | ---------------------------------------- |
    | `project:read`         | Read project settings, list projects     |
    | `project:write`        | Modify project settings                  |
    | `project:admin`        | Delete projects, manage project keys     |
    | `project:releases`     | Upload release artifacts and source maps |
    | `project:distribution` | Manage release distributions             |
  </Accordion>

  <Accordion title="Team scopes">
    | Scope        | Access                      |
    | ------------ | --------------------------- |
    | `team:read`  | List teams and team members |
    | `team:write` | Create and modify teams     |
    | `team:admin` | Delete teams                |
  </Accordion>

  <Accordion title="Event scopes">
    | Scope         | Access                            |
    | ------------- | --------------------------------- |
    | `event:read`  | Read issues and events            |
    | `event:write` | Update issue status, add comments |
    | `event:admin` | Delete events and issues          |
  </Accordion>

  <Accordion title="Organization scopes">
    | Scope              | Access                                     |
    | ------------------ | ------------------------------------------ |
    | `org:read`         | Read organization settings and member list |
    | `org:write`        | Modify organization settings               |
    | `org:admin`        | Transfer or delete the organization        |
    | `org:integrations` | Install and configure integrations         |
  </Accordion>

  <Accordion title="Member scopes">
    | Scope           | Access                          |
    | --------------- | ------------------------------- |
    | `member:read`   | List organization members       |
    | `member:write`  | Modify member settings          |
    | `member:admin`  | Add and remove members          |
    | `member:invite` | Send invitations to new members |
  </Accordion>

  <Accordion title="Alert scopes">
    | Scope          | Access                        |
    | -------------- | ----------------------------- |
    | `alerts:read`  | Read alert rules              |
    | `alerts:write` | Create and modify alert rules |
  </Accordion>
</AccordionGroup>

## Using a token in API requests

Pass your token in the `Authorization` header as a Bearer token on every request.

```bash theme={null}
curl https://sentry.io/api/0/organizations/{organization_slug}/projects/ \
  -H "Authorization: Bearer YOUR_TOKEN"
```

<Tabs>
  <Tab title="curl">
    ```bash theme={null}
    curl https://sentry.io/api/0/projects/{organization_slug}/{project_slug}/issues/ \
      -H "Authorization: Bearer YOUR_TOKEN" \
      -H "Content-Type: application/json"
    ```
  </Tab>

  <Tab title="Python">
    ```python theme={null}
    import requests

    token = "YOUR_TOKEN"
    org_slug = "your-org"

    response = requests.get(
        f"https://sentry.io/api/0/organizations/{org_slug}/projects/",
        headers={"Authorization": f"Bearer {token}"},
    )

    data = response.json()
    ```
  </Tab>

  <Tab title="Node.js">
    ```javascript theme={null}
    const token = "YOUR_TOKEN";
    const orgSlug = "your-org";

    const response = await fetch(
      `https://sentry.io/api/0/organizations/${orgSlug}/projects/`,
      {
        headers: {
          Authorization: `Bearer ${token}`,
        },
      }
    );

    const data = await response.json();
    ```
  </Tab>
</Tabs>

## Revoking tokens

**Auth tokens** — Go to **User Settings > API Tokens**, find the token, and click **Revoke**.

**Organization auth tokens** — Go to **Settings > Auth Tokens**, find the token, and click **Revoke**.

Revocation takes effect immediately. Any requests using a revoked token will receive a `401 Unauthorized` response.

<Tip>
  If you suspect a token has been compromised, revoke it immediately and audit recent API activity for unexpected actions before creating a replacement.
</Tip>
