Navigate to Settings > Keys & IDs to access your OneSignal app's public and private keys.

App ID

Your OneSignal App ID (or just App ID) is the main identifier to differentiate your app from all other OneSignal apps. You will use this in all your SDK initialization codes and API calls. Note that the App ID doesn't need to be treated as private.

API keys

The App API Key serves as the REST API Key to most of our REST APIs while the Organization API key is used for app-related APIs as detailed below.

You can find your App's API key in Settings > Keys & IDs of your OneSignal Dashboard. Include this key in the Authorization header using the Key Authentication scheme e.g., Key REST_API_KEY.

❗️

Do not share this key

Treat your REST API Key as though it is a password - do not add it to your app code or public repositories (e.g. github) and do not share it with anyone.

Creating a new key

1. Click the ‘New Key’ button to open the Create API Authentication Key modal.
2. Enter a descriptive name for your key like the name of the service that will use the key.

IP allowlist

You can optionally enable IP Allowlisting, which limits the IP addresses that are permitted to use the API key. Toggle the IP allowlisting setting on, then enter a list of space-separated IP CIDRs, e.g.:
192.0.2.0/24 192.0.2.123/32

If a service tries to use an API key with an IP allowlist from an IP outside the allowlist, it will receive an Access Denied response.

You can generate up to 16 REST API keys, each with different names and IP allowlisting configurations.

Editing keys

You can update the name and IP allowlisting configuration for a key by opening the menu on the right-hand side of the key table and selecting Edit. Editing a key does not regenerate the authentication secret, so you do not need to update the key in your application afterward.

Rotating keys

You can rotate the authentication secret for a key by opening the menu on the right-hand side of the key table and selecting Rotate. Rotating a key does not change the name or IP Allowlisting configuration but does generate a new authentication secret. After rotating a key, you must update the key in your application to continue authenticating with the API.

Deleting keys

You can delete keys by opening the menu on the right-hand side of the key table and selecting Delete. Deleting a key stops it from being used to authenticate with the API.

Organization API key

An Organization API Key is used for app management API requests (e.g. using the Creating an app and Viewing apps). It can't be used to send notifications or other common app actions. Organization keys are mainly useful for large organizations that manage hundreds of applications in a single organization.

To create an Organization API key, click Organizations > Keys & Ids

As with App API keys, you can configure up to 16 org keys and include IP allowlisting configuration.

Migrating from legacy API keys

On the 14th of November 2024, we announced the new rich API key system described above and started deprecating legacy API keys. Legacy user API keys will be deprecated on the 1st of March 2025, and legacy app API keys will be deprecated in Q1 2026. We'll follow up with further communications closer to these dates.

To continue using the API, your apps need to migrate to using the new rich API keys described above. This migration is easy, and takes only a few minutes:

• Follow the instructions above to create a new rich API key.
• Update the key in your codebase so it uses the new rich key, removing the old legacy key.
• Make sure your API requests are using https://api.onesignal.com and not the legacy https://onesignal.com/api/v1/ URL.
• Click the "Disable Legacy Key" button in the app Keys & IDs page.

Disabling your app

You may disable your app to prevent new and scheduled notifications from being delivered.

You'll still receive new subscribers if you disable the app. You must remove or comment out the OneSignal code to stop new subscriptions.

Apps you manually disable can be instantly re-enabled at any time.