App ID
The App ID is a unique public identifier for your OneSignal project, formatted as a UUID v4. It is distinct from your private API keys and is required for:- SDK initialization – Mobile SDK setup, Web SDK setup
- API calls – Create message, Create user, and others.

Keys & IDs page to find your App ID and App API keys.

Example where to find your App ID.
Organization ID
Your Organization ID (Org ID) is a unique identifier in UUID v4 format that groups all apps under your billing plan. It is required for APIs related to:- App management – Create an app, Update an app.
organization_id
in the dashboard under Organizations > Your Organization or via the View an app API.

Example showing how to find your Organization ID in the OneSignal dashboard.
API keys
There are two types of API keys:- App API Keys
- Organization API Key – A private key used for configuring apps and API keys within an Organization.
App API key
Your app API key is a private key used for most REST API requests related to a specific app.- App API keys can be created under Settings > Keys & IDs or Create an API Key.
- They can only be viewed once created.
-
Include this key in the
Authorization
header using thekey
authentication scheme:
Treat App API Keys like a password. Do not share it, expose it in your app code, or store it in public repositories like GitHub.
Organization API key
Your organization API key is a private key used for managing apps and app API keys within an Organization. It is required for API requests such as:- App configuration – Creating apps, Viewing apps
- API key management – Create API key, Delete API key, Update API key

The Organization API key replaces the legacy User Auth key.
Create API keys
- App API Key – Go to your app’s Settings > Keys & IDs or use the Create API key API.
- Organization API Key – Go to your organization’s Keys & IDs section.

API keys are only visible once. Use Add Key to generate one.
IP allowlist
Optionally, restrict API key usage to specific IP addresses by enabling IP Allowlisting. Enter space-separated CIDR blocks (e.g.,192.0.2.0/24 192.0.2.123/32
).
Requests from non-allowed IPs will be denied.

Creating an API key with optional IP allowlist.
View API keys
After clicking Create, your API key will be shown once. Save it securely.
Generated API key (displayed only once).
Key management
After creating a key, you can manage it via the key list interface:
Key ID is only a label for reference, not the actual API key.
Edit API keys
Via the dashboard or Update API key API:- Update the name or IP allowlist
- Does not change the secret—no app code changes needed
Rotate API keys
Via the dashboard or Rotate API key API:- Replaces the key’s secret
- Keep the same name and IP settings
- You must update your app or integration with the new key
Delete API keys
Via the dashboard or Delete API key API:- Deletes the key permanently
- Blocks any further API access using that key
Migrating from legacy API keys
We introduced rich API key management on November 14, 2024. Migration Steps- Create a new rich API key (see above).
- Replace the legacy key in your codebase.
- Update API calls to use
https://api.onesignal.com
instead of the oldhttps://onesignal.com/api/v1/
URL. - Delete or click “Disable Legacy Key” on the legacy key from the Keys & IDs page.
Disabling your app
Disabling an app will block:- New notifications
- Scheduled notifications waiting to be sent