Keys & IDs
Details on your OneSignal App ID, App Auth Key, User Auth Key management, and manually disabling your app.
Navigate to Settings > Keys & IDs to access your OneSignal app's public and private keys.
App ID
Your OneSignal App ID (or just App ID) is the main identifier to differentiate your app from all other OneSignal apps. You will use this in all your SDK initialization codes and API calls. Note that the App ID is public and doesn't need to be treated as private.
API keys
The App API Key serves as the REST API Key to most of our REST APIs while the Organization API key is used for app-related APIs as detailed below.
You can find your App's API key in Settings > Keys & IDs of your OneSignal Dashboard. Include this key in the Authorization
header using the Key
Authentication scheme e.g., Key YOUR_REST_API_KEY
.
Do not share this key
Treat your REST API Key as though it is a password - do not add it to your app code or public repositories (e.g. Github) and do not share it with anyone.
Organization API key
An Organization API Key is used for app management API requests (e.g. using the Creating an app and Viewing apps). It can't be used to send notifications or other common app actions. Organization keys are mainly useful for large organizations that manage hundreds of applications in a single organization.
To create an Organization API key, click Organizations > Keys & Ids
As with App API keys, you can configure up to 16 org keys and include IP allowlisting configuration.
Creating a new key
Click the Add Key button to open the Create API Authentication Key modal.
Enter a descriptive name for your key like the name of the service that will use the key.
IP allowlist
You can optionally enable IP Allowlisting, which limits the IP addresses that are permitted to use the API key. Toggle the IP allowlisting setting on, then enter a list of space-separated IP CIDRs, e.g.:
192.0.2.0/24 192.0.2.123/32
If a service tries to use an API key with an IP allowlist from an IP outside the allowlist, it will receive an Access Denied response.
You can generate up to 16 REST API keys, each with different names and IP allowlisting configurations.
Click Create to see your REST API key.
Get API key
After you click Create you will see your API key. This is the only time you will have access to it, so save this key somewhere private!
Once you click Continue you will not have access to this key anymore.
Key management
Once you create the key, you will have the following options.
Editing keys
You can update the name and IP allowlisting configuration for a key by opening the menu on the right-hand side of the key table and selecting Edit. Editing a key does not regenerate the authentication secret, so you do not need to update the key in your application afterward.
Rotating keys
You can rotate the authentication secret for a key by opening the menu on the right-hand side of the key table and selecting Rotate. Rotating a key does not change the name or IP Allowlisting configuration but does generate a new authentication secret. After rotating a key, you must update the key in your application to continue authenticating with the API.
Deleting keys
You can delete keys by opening the menu on the right-hand side of the key table and selecting Delete. Deleting a key stops it from being used to authenticate with the API.
Migrating from legacy API keys
On the 14th of November 2024, we announced the new rich API key system described above and started deprecating legacy API keys. Legacy user API keys will be deprecated on the 1st of March 2025, and legacy app API keys will be deprecated in Q1 2026. We'll follow up with further communications closer to these dates.
To continue using the API, your apps need to migrate to using the new rich API keys described above. This migration is easy, and takes only a few minutes:
- Follow the instructions above to create a new rich API key.
- Update the key in your codebase so it uses the new rich key, removing the old legacy key.
- Make sure your API requests are using
https://api.onesignal.com
and not the legacyhttps://onesignal.com/api/v1/
URL. - Click the "Disable Legacy Key" button in the app Keys & IDs page.
Disabling your app
You may disable your app to prevent new and scheduled notifications from being delivered.
You'll still receive new subscribers if you disable the app. You must remove or comment out the OneSignal code to stop new subscriptions.
Apps you manually disable can be instantly re-enabled at any time.
Updated 12 days ago