Skip to main content
Applies to:
  • Plan:
  • Deployment:

Summary

Issue: Org owners cannot programmatically list API key metadata across all users in the organization. GET /v1/api_key returns only the caller’s own keys, even for org owners. Cause: The org-wide key listing logic (makeOwnerApiKeysFullResultSetQuery) is only exposed through UI server actions, not through the public REST API. Resolution: Use the Braintrust UI to audit org-wide API keys. A dedicated read-only endpoint is a tracked feature request with no current ETA.

Current behavior

MethodOrg-owner access
Braintrust UIView and manage all org API keys
GET /v1/api_keyReturns caller’s own keys only
GET /v1/organization/{org_id}/api-keysDoes not exist

Workaround

Using the UI

Org owners can view and manage all API keys under Settings → API Keys in the Braintrust UI. This is the only supported method for org-wide key auditing at this time.

Using user impersonation

The API supports impersonating users to fetch their keys:
  1. Call POST /v1/impersonate with a target user ID.
  2. Use the returned token to call GET /v1/api_key.
  3. Repeat for each user in the org.
# Step 1: Impersonate a user
POST /v1/impersonate
{ "user_id": "<user_id>" }

# Step 2: List their keys using the impersonation token
GET /v1/api_key
Authorization: Bearer <impersonation_token>