Your OneSignal account includes both public IDs and private API keys that are essential for configuring your apps and accessing the OneSignal API. This guide explains where to find them, how to manage them, and best practices for secure usage.


App ID

The App ID is a unique public identifier for your OneSignal project, formatted as a UUID v4. It is distinct from your private API keys and is required for:

Find your App ID under Settings > Keys & IDs in the OneSignal Dashboard or via the View apps API.

Keys & IDs page to find your App ID and App API keys.


Example where to find your App ID.

Organization ID

Your Organization ID (Org ID) is a unique identifier in UUID v4 format that groups all apps under your billing plan. It is required for APIs related to:

You can find your organization_id in the dashboard under Organizations > Your Organization or via the View an app API.

Example showing how to find your Organization ID in the OneSignal dashboard.


API keys

There are two types of API keys:

  1. App API Keys
  2. Organization API Key – A private key used for configuring apps and API keys within an Organization.

App API key

Your app API key is a private key used for most REST API requests related to a specific app.

  • App API keys can be created under Settings > Keys & IDs or Create an API Key.

  • They can only be viewed once created.

  • Include this key in the Authorization header using the key authentication scheme:

    Authorization: key YOUR_REST_API_KEY
    

Treat App API Keys like a password. Do not share it, expose it in your app code, or store it in public repositories like GitHub.

Organization API key

Your organization API key is a private key used for managing apps and app API keys within an Organization. It is required for API requests such as:

To create an organization API key, navigate to Organizations > your org > Keys & IDs in your OneSignal Dashboard.

The Organization API key replaces the legacy User Auth key.

As with app API keys, you can configure up to 16 org keys and include IP allowlisting configuration.


Create API keys

  • App API Key – Go to your app’s Settings > Keys & IDs or use the Create API key API.
  • Organization API Key – Go to your organization’s Keys & IDs section.

Click Add Key to open the creation modal.

API keys are only visible once. Use Add Key to generate one.

Give your key a descriptive name (e.g., “CRM Sync Service”).

IP allowlist

Optionally, restrict API key usage to specific IP addresses by enabling IP Allowlisting. Enter space-separated CIDR blocks (e.g., 192.0.2.0/24 192.0.2.123/32). Requests from non-allowed IPs will be denied.

Creating an API key with optional IP allowlist.

View API keys

After clicking Create, your API key will be shown once. Save it securely.

Generated API key (displayed only once).

After clicking Continue, the key will no longer be viewable.


Key management

After creating a key, you can manage it via the key list interface:

Key ID is only a label for reference, not the actual API key.

Edit API keys

Via the dashboard or Update API key API:

  • Update the name or IP allowlist
  • Does not change the secret—no app code changes needed

Rotate API keys

Via the dashboard or Rotate API key API:

  • Replaces the key’s secret
  • Keep the same name and IP settings
  • You must update your app or integration with the new key

Delete API keys

Via the dashboard or Delete API key API:

  • Deletes the key permanently
  • Blocks any further API access using that key

Migrating from legacy API keys

We introduced rich API key management on November 14, 2024.

Migration Steps

  1. Create a new rich API key (see above).
  2. Replace the legacy key in your codebase.
  3. Update API calls to use https://api.onesignal.com instead of the old https://onesignal.com/api/v1/ URL.
  4. Delete or click “Disable Legacy Key” on the legacy key from the Keys & IDs page.

Disabling your app

Disabling an app will block:

  • New notifications
  • Scheduled notifications waiting to be sent

It will not block new device subscriptions. To prevent those, you must remove OneSignal code from your app.

Disabled apps can be re-enabled at any time in the dashboard.


Your OneSignal account includes both public IDs and private API keys that are essential for configuring your apps and accessing the OneSignal API. This guide explains where to find them, how to manage them, and best practices for secure usage.


App ID

The App ID is a unique public identifier for your OneSignal project, formatted as a UUID v4. It is distinct from your private API keys and is required for:

Find your App ID under Settings > Keys & IDs in the OneSignal Dashboard or via the View apps API.

Keys & IDs page to find your App ID and App API keys.


Example where to find your App ID.

Organization ID

Your Organization ID (Org ID) is a unique identifier in UUID v4 format that groups all apps under your billing plan. It is required for APIs related to:

You can find your organization_id in the dashboard under Organizations > Your Organization or via the View an app API.

Example showing how to find your Organization ID in the OneSignal dashboard.


API keys

There are two types of API keys:

  1. App API Keys
  2. Organization API Key – A private key used for configuring apps and API keys within an Organization.

App API key

Your app API key is a private key used for most REST API requests related to a specific app.

  • App API keys can be created under Settings > Keys & IDs or Create an API Key.

  • They can only be viewed once created.

  • Include this key in the Authorization header using the key authentication scheme:

    Authorization: key YOUR_REST_API_KEY
    

Treat App API Keys like a password. Do not share it, expose it in your app code, or store it in public repositories like GitHub.

Organization API key

Your organization API key is a private key used for managing apps and app API keys within an Organization. It is required for API requests such as:

To create an organization API key, navigate to Organizations > your org > Keys & IDs in your OneSignal Dashboard.

The Organization API key replaces the legacy User Auth key.

As with app API keys, you can configure up to 16 org keys and include IP allowlisting configuration.


Create API keys

  • App API Key – Go to your app’s Settings > Keys & IDs or use the Create API key API.
  • Organization API Key – Go to your organization’s Keys & IDs section.

Click Add Key to open the creation modal.

API keys are only visible once. Use Add Key to generate one.

Give your key a descriptive name (e.g., “CRM Sync Service”).

IP allowlist

Optionally, restrict API key usage to specific IP addresses by enabling IP Allowlisting. Enter space-separated CIDR blocks (e.g., 192.0.2.0/24 192.0.2.123/32). Requests from non-allowed IPs will be denied.

Creating an API key with optional IP allowlist.

View API keys

After clicking Create, your API key will be shown once. Save it securely.

Generated API key (displayed only once).

After clicking Continue, the key will no longer be viewable.


Key management

After creating a key, you can manage it via the key list interface:

Key ID is only a label for reference, not the actual API key.

Edit API keys

Via the dashboard or Update API key API:

  • Update the name or IP allowlist
  • Does not change the secret—no app code changes needed

Rotate API keys

Via the dashboard or Rotate API key API:

  • Replaces the key’s secret
  • Keep the same name and IP settings
  • You must update your app or integration with the new key

Delete API keys

Via the dashboard or Delete API key API:

  • Deletes the key permanently
  • Blocks any further API access using that key

Migrating from legacy API keys

We introduced rich API key management on November 14, 2024.

Migration Steps

  1. Create a new rich API key (see above).
  2. Replace the legacy key in your codebase.
  3. Update API calls to use https://api.onesignal.com instead of the old https://onesignal.com/api/v1/ URL.
  4. Delete or click “Disable Legacy Key” on the legacy key from the Keys & IDs page.

Disabling your app

Disabling an app will block:

  • New notifications
  • Scheduled notifications waiting to be sent

It will not block new device subscriptions. To prevent those, you must remove OneSignal code from your app.

Disabled apps can be re-enabled at any time in the dashboard.