Skip to main content
Your OneSignal account includes public IDs and private API keys.
  • Use IDs (like App ID) to configure SDKs and reference apps.
  • Use API keys to authenticate secure REST API requests.
This guide explains what each key does, where to find it, and how to manage it securely.

App ID

The App ID is a public UUID (v4) that identifies your OneSignal app. You use it for:
  • Initializing the SDK (Mobile SDK setup, Web SDK setup)
  • Making API requests such as Create message and Create user
Find your App ID in the dashboard under Settings > Keys & IDs or via the View apps API.
OneSignal dashboard Keys & IDs page showing App ID location.

Your App ID is safe to use in client-side SDK initialization. It is not a secret.

Organization ID

The Organization ID (Org ID) is a UUID (v4) that groups all apps under your billing plan. You need it for Organization-level APIs such as: Find it in Organizations > Your Organization > Keys & IDs or via the View an app API.
OneSignal dashboard showing Organization ID under Keys & IDs.

API keys overview

OneSignal supports two types of API keys:
Key TypeScopeUsed For
App API KeySingle appSending messages, creating users, app-level operations
Organization API KeyEntire organizationCreating apps, managing API keys, org-level configuration
You can create up to 16 API keys and configure IP allowlisting.
Both are private secrets and must be stored securely.

App API key

Use an App API Key for most REST API requests related to a specific app. Authentication format: Include the key in the Authorization header with the key authentication scheme: 
Authorization: key YOUR_REST_API_KEY
You can create App API Keys in App Settings > Keys & IDs or via the Create API key API.
Treat App API Keys like passwords.
  • Never expose them in mobile or web client code.
  • Never commit them to public repositories (like GitHub).
  • Store them in a secure backend or secret manager.

Organization API key

Use an Organization API Key for: Create within OneSignal dashboard in Organizations > Your Organization > Keys & IDs
As with app API keys, you can configure up to 16 org keys and include IP allowlisting configuration.

Create API keys

You can create both App and Organization API keys from the dashboard.
  • App API keys can also be created via the Create API key API.
  • Organization API keys can only be created via dashboard.
Create a key:
  1. Go to Keys & IDs (App or Organization level).
  2. Click Add Key.
Modal for creating a new API key in OneSignal dashboard.
  1. Enter a descriptive name (example: CRM Sync Service).
  2. (Optional) Configure IP allowlisting.
  3. Click Create.
  4. Copy and securely store the key immediately.
API keys are shown only once. If you lose the key, you must rotate it.
You can restrict API key usage to specific IP addresses.
  • Enter space-separated CIDR blocks
    • Example: 192.0.2.0/24 192.0.2.123/32
  • Requests from non-allowed IPs will be denied.
Use IP allowlisting for:
  • Backend services with static IPs
  • High-security production environments
IP allowlist configuration field in API key creation modal.

Key management

After creating a key, you can manage it via the key list interface:
API key list in OneSignal dashboard showing key names and IDs.
The Key ID is a label for reference. It is not the secret API key.

Edit API keys

You can:
  • Update the key name
  • Modify IP allowlist settings
Editing does not change the secret value. No integration changes are required.
  • App API keys can be updated via dashboard or the Update API key API.
  • Organization API keys can only be updated via dashboard.

Rotate API keys

Rotating a key:
  • Generates a new secret
  • Keeps the same name and configuration
  • Immediately invalidates the old secret
When to rotate:
  • The key was exposed
  • A team member with access leaves
  • Routine security rotation
After rotating a key, update all services using it. Requests with the old key will fail.
  • App API keys can be rotated via dashboard or the Rotate API key API.
  • Organization API keys can only be rotated via dashboard.

Delete API keys

Deleting a key:
  • Permanently removes it
  • Immediately blocks API access using that key
Use deletion when a key is no longer needed.
  • App API keys can be deleted via dashboard or the Delete API key API.
  • Organization API keys can only be deleted via dashboard.

Migrating from legacy API keys

We introduced rich API key management on November 14, 2024. Migration Steps
  1. Create a new App or Organization API key.
  2. Replace the legacy key in your code.
  3. Update your API base URL to:
https://api.onesignal.com
Instead of: 
https://onesignal.com/api/v1/
  1. Disable or delete the legacy key in Keys & IDs.
Test API requests in a staging environment before disabling your legacy key in production.

Disabling your app

Block API access:
  • Delete or rotate API keys to immediately block REST API usage.
Disable message sending:
  • Go to Settings > Manage App > Disable App.
See Disabled Apps & Organizations for details.
Disabling an app does not stop billing. Monthly Active Users (MAU) for disabled apps still count toward billing.To stop billing, delete the app or move it to a Free Organization.Contact [email protected] for assistance.

Security best practices

  • Store API keys in a secure backend (never client-side).
  • Use environment variables or a secrets manager.
  • Enable IP allowlisting when possible.
  • Rotate keys periodically.
  • Use separate keys for staging and production.