- App ID and Organization ID are public identifiers, safe to use in client-side code and SDK initialization.
- App API key and Organization API key are private secrets. Store them securely and never expose them in client-side code.
App ID
The App ID is a public UUID (v4) that identifies your OneSignal app. You use it for:- Initializing the SDK (Mobile SDK setup, Web SDK setup)
- Making API requests such as Create message and Create user

Your App ID is safe to use in client-side SDK initialization. It is not a secret.
Organization ID
The Organization ID (Org ID) is a UUID (v4) that groups all apps under your billing plan. You need it for Organization-level APIs such as: Find it in Organizations > Your Organization > Keys & IDs or via the View an app API.
API keys
There are two kinds of API keys. Both authenticate REST API requests and must be kept secret. Pick the one that matches what you want to do:| Key | Use it for |
|---|---|
| App API key | One specific app: sending messages, creating users, reading stats. |
| Organization API key | Across your whole organization: creating apps and managing other API keys. |
You can create up to 16 App API keys per app and 16 Organization API keys per organization.
App API key
Use an App API key for any REST API request scoped to a single app: sending messages; creating or updating users; or reading message history. The dashboard never shows existing API key values. The string in the Key ID column is just an internal identifier, not the key. To get a working secret again, follow the steps below to create a new API key or rotate an existing key. Rotation generates a new value while keeping the same Key ID, name, and IP allowlist, and the old value stops working immediately.
Navigate to the app's Settings > Keys & IDs
In the OneSignal dashboard, select your app and go to Settings > Keys & IDs.
Click Add Key
Enter a descriptive name (for example,
Backend service). Optionally add an IP allowlist so the key only works from approved servers.Organization API key
Use an Organization API key for operations that span all the apps in your organization. Common endpoints:- App management: Create an app, View apps
- API key management: Create API key, Delete API key, Rotate API key
Navigate to the Organization Keys & IDs
In the OneSignal dashboard, go to Organizations > Your Organization > Keys & IDs.
Click Add Key and name it
Enter a descriptive name (for example,
App provisioning). Optionally add an IP allowlist.
IP allowlist
IP allowlisting is optional but strongly recommended. It restricts API key usage to specific IP addresses so a leaked key cannot be used from elsewhere.- Enter space-separated CIDR blocks (example:
192.0.2.0/24 192.0.2.123/32). - Requests from non-allowed IPs are denied.
- Backend services with static IPs.
- High-security production environments.

Manage API keys
After creating a key, you can edit, rotate, or delete it from the key list in Settings > Keys & IDs. App API keys also support these operations via REST API. Organization API keys are dashboard-only.Edit a key
Update the name or IP allowlist without changing the secret value. No integration changes are required. Use the dashboard, or the Update API key API (App API keys only).Rotate a key
Rotating generates a new secret while keeping the same Key ID, name, and IP allowlist. The old secret stops working immediately. Rotate a key when:- The key was exposed.
- A team member with access leaves.
- A routine security rotation is due.
- You lost the original key value and need a working secret.
Delete a key
Deleting permanently removes the key and immediately blocks API access using that key. Use deletion when a key is no longer needed. Use the dashboard, or the Delete API key API (App API keys only).Migrating from legacy API keys
OneSignal introduced App and Organization API keys (with naming, rotation, and IP allowlisting) in November 2024. The legacy User Auth key and the original REST API key are still accepted, but the management UI for them has been removed and new keys cannot be created.Create a new key
Create a new App API key or Organization API key depending on which legacy key you are replacing.
Update your code
Replace the legacy key with the new value in every service that authenticates against OneSignal.
Update the API base URL
Change your API base URL from
https://onesignal.com/api/v1/ to https://api.onesignal.com.Verify API requests in staging before disabling your legacy key in production.
Block API access
To immediately revoke a key, rotate or delete it in Settings > Keys & IDs. Requests using the old value fail right away. To stop message sending or pause an app entirely, see Disabled Apps & Organizations.Security best practices
- Store API keys in a secure backend (never client-side).
- Use environment variables or a secrets manager.
- Enable IP allowlisting when possible.
- Rotate keys periodically.
- Use separate keys for staging and production.
FAQ
How do I find my API key?
API key values start withos_v2_app_ and are shown only once, immediately after you create or rotate the key. The Key ID column in the dashboard is an internal identifier, not the API key, and returns 401 Unauthorized if used for authentication. If you didn’t save your key value, rotate the key to generate a new one. See App API key or Organization API key for the full flow.
Can I retrieve a legacy App API key?
No. OneSignal no longer displays legacy App API keys. If you cannot find the value in your codebase, generate a new App API key and update your integrations.What is the difference between an App ID, App API key, and Organization API key?
- App ID: A public identifier for your app. Used in SDK setup and API requests to specify the app.
- App API key: A secret used to send messages and manage users for one app.
- Organization API key: A secret used to manage apps and organization-level settings across your entire account.
What happens if my API key is exposed?
Rotate the key immediately. Rotation invalidates the old value and issues a new one while keeping the same Key ID, name, and IP allowlist. Then update every service that uses the key. Review your audit logs for unexpected API activity.Related pages
REST API overview
Authenticate requests and understand the OneSignal REST API.
Rate limits
Per-key rate limits and best practices for high-volume integrations.
Audit logs
Review API and dashboard activity by key, user, and time.
Disabled Apps & Organizations
Pause or shut down an app and understand billing implications.
