Overview
Admin keys let workspace owners and admins connect tools and services to supported ChatGPT and Codex workspace administration APIs. Depending on your role and the permissions you assign, a key can export or remove compliance logs, read workspace analytics and costs, read Codex analytics, manage service accounts, automate usage limits through the Spend Controls API, or manage workspace groups and membership lists. Usage limits remain in ChatGPT under Workspace settings → Usage limits. Admin keys do not grant access to models or model inference.
Each Admin key applies to one workspace. When you create a key, you can add a name and set an expiration. Owners can select All, Read only, or Restricted permissions. Admins must use Restricted permissions and can choose read or write access by endpoint category.
In global admin console, go to Credentials > Admin keys. From this section, you can select a workspace, create keys, review each key's status, expiration, last-used date, creator, and permissions, and edit or revoke existing keys. Copy and securely store the secret when you create the key because you cannot view it again. Only workspace admins and owners can create keys - see below for more information on access.
Learn more about the global admin console.
Admin key access by role
The Admin keys tab is available to workspace owners and workspace admins for eligible Enterprise and Edu workspaces. You can create keys only for workspaces where you hold one of these roles.
| Role | Can create keys for | Allowed permissions | Compliance API access |
|---|---|---|---|
| Workspace owners | Workspaces they own | Restricted, Read only, or All | Sensitive compliance scopes when they are available for the workspace. |
| Workspace admins | Workspaces they administer | Restricted permissions for permitted non-compliance APIs, including Codex analytics, workspace directory, usage limits, and service account administration. | Non-sensitive compliance scopes only. Workspace admins cannot create keys with compliance export, compliance logs, or umbrella scopes that include sensitive data such as conversation messages. |
Permission levels
All
Grants broad admin access to the selected workspace. Only workspace owners can create keys with All permissions. Use this option only when a narrower key will not work.
Read only
Grants read access to available administration endpoints for the selected workspace. Only workspace owners can create a Read only key when its permissions include owner-only compliance data.
Restricted
Lets you select specific endpoint categories. Restricted is recommended for most integrations. Workspace admins must use Restricted permissions and can select only permitted non-compliance or non-sensitive compliance scopes.
Compliance API permissions
Compliance scopes grant access to the OpenAI Compliance Platform, including compliance export and compliance logs APIs. These APIs can expose sensitive workspace data.
Only workspace owners can create keys with umbrella scopes or sensitive scopes, such as access to conversation messages. Workspace admins can create keys only with non-sensitive compliance scopes.
Create an Admin key
Go to Admin Console, then select Credentials > Admin keys.
Select Create new admin key.
Select the workspace that the key should access.
Select the logs and analytics features the key must have access to.
Create the key, then copy the secret immediately. You cannot view the secret again.
For a full API description, read the API docs.
Manage Admin keys
Go to Credentials > Admin keys, then select a workspace to review its keys. When your role permits it, you can change a key's name or allowed scopes and revoke keys that you no longer need.
Workspace admins cannot change or revoke keys with owner-only compliance scopes.
Best practices
Use Restricted permissions and grant only the scopes your integration needs.
Use separate keys for separate systems or workflows.
Store Admin keys in a secure secret manager.
Set a reasonable expiration date.
Rotate keys regularly and revoke keys you no longer use.
Review compliance-scoped keys carefully because they can grant access to sensitive data.
