OpenAI

Managing Admin keys in the Credentials tab

Create and manage Admin keys for ChatGPT and Codex workspaces in Admin Console.

Updated: 19 hours ago

Overview

Admin keys let workspace owners and admins connect tools and services to supported ChatGPT and Codex workspace administration APIs. Depending on your role and the permissions you assign, a key can export or remove compliance logs, read workspace analytics and costs, read Codex analytics, manage service accounts, automate usage limits through the Spend Controls API, or manage workspace groups and membership lists. Usage limits remain in ChatGPT under Workspace settings → Usage limits. Admin keys do not grant access to models or model inference.

Each Admin key applies to one workspace. When you create a key, you can add a name and set an expiration. Owners can select All, Read only, or Restricted permissions. Admins must use Restricted permissions and can choose read or write access by endpoint category.

In global admin console, go to Credentials > Admin keys. From this section, you can select a workspace, create keys, review each key's status, expiration, last-used date, creator, and permissions, and edit or revoke existing keys. Copy and securely store the secret when you create the key because you cannot view it again. Only workspace admins and owners can create keys - see below for more information on access.

Learn more about the global admin console.

Admin key access by role

The Admin keys tab is available to workspace owners and workspace admins for eligible Enterprise and Edu workspaces. You can create keys only for workspaces where you hold one of these roles.

RoleCan create keys forAllowed permissionsCompliance API access
Workspace ownersWorkspaces they ownRestricted, Read only, or AllSensitive compliance scopes when they are available for the workspace.
Workspace adminsWorkspaces they administerRestricted permissions for permitted non-compliance APIs, including Codex analytics, workspace directory, usage limits, and service account administration.Non-sensitive compliance scopes only. Workspace admins cannot create keys with compliance export, compliance logs, or umbrella scopes that include sensitive data such as conversation messages.

Permission levels

All

Grants broad admin access to the selected workspace. Only workspace owners can create keys with All permissions. Use this option only when a narrower key will not work.

Read only

Grants read access to available administration endpoints for the selected workspace. Only workspace owners can create a Read only key when its permissions include owner-only compliance data.

Restricted

Lets you select specific endpoint categories. Restricted is recommended for most integrations. Workspace admins must use Restricted permissions and can select only permitted non-compliance or non-sensitive compliance scopes.

Compliance API permissions

Compliance scopes grant access to the OpenAI Compliance Platform, including compliance export and compliance logs APIs. These APIs can expose sensitive workspace data.

Only workspace owners can create keys with umbrella scopes or sensitive scopes, such as access to conversation messages. Workspace admins can create keys only with non-sensitive compliance scopes.

Create an Admin key

  1. Go to Admin Console, then select Credentials > Admin keys.

  2. Select Create new admin key.

  3. Select the workspace that the key should access.

  4. Select the logs and analytics features the key must have access to.

  5. Create the key, then copy the secret immediately. You cannot view the secret again.

For a full API description, read the API docs.

Manage Admin keys

Go to Credentials > Admin keys, then select a workspace to review its keys. When your role permits it, you can change a key's name or allowed scopes and revoke keys that you no longer need.

Workspace admins cannot change or revoke keys with owner-only compliance scopes.

Best practices

  • Use Restricted permissions and grant only the scopes your integration needs.

  • Use separate keys for separate systems or workflows.

  • Store Admin keys in a secure secret manager.

  • Set a reasonable expiration date.

  • Rotate keys regularly and revoke keys you no longer use.

  • Review compliance-scoped keys carefully because they can grant access to sensitive data.

Was this article helpful?