Skip to main content
Your OneSignal account includes public IDs like App ID and Organization ID and private API keys like App API Key and Organization API Key.
  • App ID and Organization ID are public identifiers — safe to use in client-side code and SDK initialization.
  • App API Keys and Organization API Keys are private secrets — store them securely and never expose them in client-side code.
This guide explains what each key does, where to find it, and how to manage it securely.
Where to find your keys: From any app in the OneSignal dashboard, go to Settings > Keys & IDs. For Organization-level keys, go to Organizations > Your Organization > Keys & IDs.

App ID

The App ID is a public UUID (v4) that identifies your OneSignal app. You use it for:
  • Initializing the SDK (Mobile SDK setup, Web SDK setup)
  • Making API requests such as Create message and Create user
Find your App ID in the dashboard under Settings > Keys & IDs or via the View apps API.
OneSignal dashboard Keys & IDs page showing App ID location
App ID value highlighted in the Keys & IDs settings page
Your App ID is safe to use in client-side SDK initialization. It is not a secret.

Organization ID

The Organization ID (Org ID) is a UUID (v4) that groups all apps under your billing plan. You need it for Organization-level APIs such as: Find it in Organizations > Your Organization > Keys & IDs or via the View an app API.
OneSignal dashboard showing Organization ID under Keys & IDs.

API keys overview

OneSignal supports two types of API keys:
Key TypeScopeUsed For
App API KeySingle appSending messages, creating users, app-level operations
Organization API KeyEntire organizationCreating apps, managing API keys, org-level configuration
You can create up to 16 API keys and configure IP allowlisting.
Both are private secrets and must be stored securely.

App API key

Use an App API Key for most REST API requests related to a specific app. Authentication format: Include the key in the Authorization header with the key authentication scheme: 
Authorization: key YOUR_REST_API_KEY
You can create App API Keys in App Settings > Keys & IDs or via the Create API key API.
Treat App API Keys like passwords.
  • Never expose them in mobile or web client code.
  • Never commit them to public repositories (like GitHub).
  • Store them in a secure backend or secret manager.

Organization API key

Use an Organization API Key for: Create Organization API Keys in the OneSignal dashboard under Organizations > Your Organization > Keys & IDs.
Organization API key section in the Keys & IDs dashboard
As with app API keys, you can configure up to 16 org keys and include IP allowlisting configuration.

Create API keys

You can create both App and Organization API keys from the dashboard.
  • App API keys can also be created via the Create API key API.
  • Organization API keys can only be created via dashboard.
Create a key:
  1. Go to Keys & IDs (App or Organization level).
  2. Click Add Key.
  3. Enter a descriptive name (example: CRM Sync Service).
  4. (Optional) Configure IP allowlisting.
  5. Click Create.
  6. Copy and securely store the key immediately.
Modal for creating a new API key in OneSignal dashboard
Generated API key displayed after creation
API keys are shown only once. If you lose the key, you must rotate it.
You can restrict API key usage to specific IP addresses.
  • Enter space-separated CIDR blocks
    • Example: 192.0.2.0/24 192.0.2.123/32
  • Requests from non-allowed IPs will be denied.
Use IP allowlisting for:
  • Backend services with static IPs
  • High-security production environments
IP allowlist configuration field in API key creation modal

Key management

After creating a key, you can manage it via the key list interface:
API key list in OneSignal dashboard showing key names and IDs
The Key ID is a label for reference. It is not the secret API key.

Edit API keys

You can:
  • Update the key name
  • Modify IP allowlist settings
Editing does not change the secret value. No integration changes are required.
  • App API keys can be updated via dashboard or the Update API key API.
  • Organization API keys can only be updated via dashboard.

Rotate API keys

Rotating a key:
  • Generates a new secret
  • Keeps the same name and configuration
  • Immediately invalidates the old secret
When to rotate:
  • The key was exposed
  • A team member with access leaves
  • Routine security rotation
After rotating a key, update all services using it. Requests with the old key will fail.
  • App API keys can be rotated via dashboard or the Rotate API key API.
  • Organization API keys can only be rotated via dashboard.

Delete API keys

Deleting a key:
  • Permanently removes it
  • Immediately blocks API access using that key
Use deletion when a key is no longer needed.
  • App API keys can be deleted via dashboard or the Delete API key API.
  • Organization API keys can only be deleted via dashboard.

Migrating from legacy API keys

We introduced rich API key management on November 14, 2024. Migration Steps
  1. Create a new App or Organization API key.
  2. Replace the legacy key in your code.
  3. Update your API base URL from https://onesignal.com/api/v1/ to https://api.onesignal.com.
  4. Disable or delete the legacy key in Keys & IDs.
Test API requests in a staging environment before disabling your legacy key in production.

Disabling your app

Block API access:
  • Delete or rotate API keys to immediately block REST API usage.
Disable message sending:
  • Go to Settings > Manage App > Disable App.
See Disabled Apps & Organizations for details.
Disabling an app does not stop billing. Monthly Active Users (MAU) for disabled apps still count toward billing.To stop billing, delete the app or move it to a Free Organization.Contact support@onesignal.com for assistance.

Security best practices

  • Store API keys in a secure backend (never client-side).
  • Use environment variables or a secrets manager.
  • Enable IP allowlisting when possible.
  • Rotate keys periodically.
  • Use separate keys for staging and production.

FAQ

How do I find my API key?

Go to Settings > Keys & IDs in the OneSignal dashboard. Copy the REST API Key (app-level) or go to Organizations > Your Organization > Keys & IDs for the Organization API Key. The key is only displayed once after creation. If you lose the key, you must rotate it.

Can I retrieve a legacy REST API key?

No. OneSignal does not display legacy REST API keys anymore. If you cannot find this key in your codebase, then you will need to generate and use a new API key.

What is the difference between an App ID, REST API key, and Organization API key?

  • App ID: A public identifier for your app. Used in SDK setup and API requests to specify the app.
  • REST API Key: A secret key used to send messages and manage users for one app.
  • Organization API Key: A secret key used to manage apps and organization-level settings across your entire account.

Disabled Apps & Organizations

Manage disabled apps and understand billing implications.

Users

Understand the OneSignal user model and External IDs.