Skip to main content

API key types

All API requests require authentication using either:
  • Organization API Keys - Created by Organization Admins in Settings > API access
  • Personal Access Tokens (PAT) - User-scoped tokens created in a user’s profile settings Note: If connecting to the MCP Server via OAuth, Omni will automatically create an MCP OAuth PAT for the authenticating user. See the MCP Server authentication documentation for more information.
Use the following table to compare API key types:
Organization API keyPersonal Access Token (PAT)MCP OAuth PAT
What’s it forSystems integrations, automated workflows, and API endpoints inaccessible to PATsIndividual user workflows using any PAT-compatible API endpointConnecting to the MCP Server via OAuth
Who can createOrganization AdminsModeler+ usersAny user
PermissionsOrganization AdminCreating user’s permissionsCreating user’s permissions
Where to createSettings > API access > Organization keysProfile > Manage account > Generate tokenAutomatically created during the MCP OAuth flow
Where to viewSettings > API access > Organization keysSettings > API access > Personal tokensNot currently visible in the app

Authorization header

Include your token in the Authorization header as: Bearer YOUR_API_KEY: 
curl -L 'https://your-omni-org.omniapp.co/api/scim/v2/users' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <YOUR_API_KEY>'

Organization API keys

Organization Admin permissions are required to create and access organization API keys.

Creating Organization API keys

To create an API key:
1
Navigate to Settings > API access > Organization keys.
2
Click Generate new key.
3
In the modal that displays, enter a descriptive name for the API key.Note: API keys will inherit the user attributes of the user who created the key. Enter something that distinguishes you as the creator, such as your initials, into the key’s Name field to make it easy to identify who created the key. This can be helpful when troubleshooting permission issues.
4
Click Generate.
5
Copy the key. Note: API keys are only displayed once when created.

Revoking an Organization API key

Unlike disabling an API key, revoking permanently deletes the API key from your Omni instance.
1
Navigate to Settings > API access > Organization Keys.
2
Locate the API key you want to revoke.
3
Click the (trash can) icon in the same row as the API key.
4
When prompted, click Yes, revoke to confirm.

API key expiration

API keys do not expire, but they may be revoked by the user at any time. In the event that your API key is lost or compromised, delete the API key in your Omni instance and create a new one. API keys are tied to the current state of the user who created them. If the creator’s user attributes change or the user is revoked, the associated key will reflect that change.

Personal Access Tokens (PAT)

Looking for MCP OAuth PATs? See the MCP Server authentication documentation for more information.
Personal access tokens (PAT) allow individual users to use the Omni API with their own permissions, rather than using an Organization API key. A PAT is scoped to the user who creates it and will inheirit their in-app permissions.

Inaccessible endpoints

PATs cannot be used for authentication with the following endpoints, as an Organization API key is required:

Creating PATs

1

Enable Personal Tokens for your Omni instance

First, an Organization Admin has to enable the Settings > API access > Personal tokens setting. This allows users in the instance to create PATs.
2

Generate a token

Once enabled, users with Modeler or Connection Admin permissions on any model in the instance can create a personal token.Click your Omni user profile icon, then Manage account > Generate token.

Revoking a PAT

Organization Admins can revoke all existing PATs by disabling the Settings > API access > Personal tokens setting. A confirmation dialog will appear before the setting is disabled to prevent accidental revocation of all user tokens. Individual users can revoke (delete) their PAT by:
1
Click your Omni user profile icon in the top right corner.
2
Click Manage account.
3
Locate the Personal API token section.
4
Click the (trash can) icon.
5
When prompted, click Yes, revoke to confirm.