Pick personal or team API keys for real work
Match `user.` keys to laptops and prototypes — `team.` keys to CI, intakes, and anything teammates panic-debug at 2am — without memorizing philosophy.
Plus: three Admin-Agent passes — inventory every running automation against the wrong key type, sequence a no-drama personal→team migration, rehearse leak response ordering.
| Audience | Admins · Developers |
|---|---|
| Time | ~8 min |
| Prerequisites | You can create keys in **Settings → API Keys** ([Generate your first API key](/tutorials/generate-your-first-api-key)). For **`team.`** keys you need **Business or Enterprise** plus team Owner/Admin ([Create a shared Team API Key](/tutorials/create-a-team-api-key)). If webhooks are in play, you’ve seen Bearer auth on intakes ([Trigger a workflow with an intake webhook](/tutorials/trigger-a-workflow-with-an-intake-webhook)). |
| You'll end up with | A written rule-of-thumb your team can repeat — **personal = solo / ephemeral**, **team = shared runtime** — plus enough vocabulary to defend intake scoping and rotation in ops reviews. |
When a tutorial shows italic text in quotation marks, it usually mirrors a label or helper string inside Auxot. Product copy changes between releases — if something reads differently in your workspace, trust what you see on screen.
Callouts with a Worth knowing gold accent are meant as must-read context before you move on. Blockquotes that open with Tip are lighter, optional depth.
Why this matters
Every HTTP caller needs one secret. That secret is either user.… (personal) or team.… (team-owned). They authenticate the same way (Authentication & API Keys) (Bearer or x-api-key) but they decay differently when people change roles:
- Personal keys inherit your account lifecycle. Vacation shouldn’t take prod down (unless prod is still running on your laptop key).
- Team keys inherit team membership and admin rotation: right fit when CI, cron, or intake handlers outlive any single login.
Intakes explicitly accept either key type; Business/Enterprise teams usually want team. so service traffic scopes cleanly (Intake Webhooks).
Auxot doesn’t rotate keys for you: you revoke and create. Keys don’t paste themselves into Slack either.
Quick start
- List callers: laptop scripts, GitHub Actions, Lambda, cron VM, intake POSTs, and Cursor/Claude env vars: anything holding
Authorization: Bearer. - Ask “who is affected if the creator’s account is deactivated?” Solo →
user.is honest. On-call group → preferteam.when tier allows. - Name keys after the runtime:
gha-deploy-main,Lambda-signup-intake,cursor-macbook-alex, notkey1. - Store in a secrets manager: env injection in CI; never commit
.envwith keys (Authentication & API Keys). - Document owner + rotation date: a spreadsheet row now beats trying to reconstruct history six months later (Rotate credentials without surprising your agents mindset).
Done? Every automation row shows user. vs team. with a one-line justification: audit-ready in sixty seconds.
The agent can do that?
1. Honest inventory against criteria
Chat → Admin Agent:
List integrations likely holding Auxot API keys: CI, schedulers, editors, personal scripts. Classify each — must be team key vs acceptable personal — cite blast radius if creator account deactivated Friday.
Why it’s non-obvious: Spreadsheets only show what you remembered to write down. A conversational pass surfaces “Jordan’s cron” that’s still active under a vague name. You still open each host and verify headers, since guesses aren’t evidence.
2. Sequence a personal → team migration
We're moving intake "[name]" off `user.`… key created by a former contractor. Sequence: create a team key, dual-stack callers briefly vs hard cut — trade-offs for [AWS Lambda description].
Why it’s non-obvious: Zero-downtime vs cleanliness fights vary by platform: paste architecture you operate; reply lists ordered clicks you execute.
3. Leak rehearsal ordering
Assume partial leak of `[redacted prefix]` key from CI logs. Ordered response: revoke, audit Audit Logs for misuse window, reissue, and notify — what Auxot UI clicks map to each step?
Why it’s non-obvious: If you revoke in a panic, services that depended on the key break first. The ordered rehearsal prevents deleting the replacement key before every consumer has been switched over (Manage your Credentials is the related discipline).
Go deeper
When team. isn’t available
Free / Team tiers: user. only. Mitigate with service account discipline (dedicated non-human user) if your org supports it; otherwise lean on disciplined naming and faster rotation, and don’t park production traffic on a shared laptop.
Intakes
Bearer header accepts both prefixes: choose team. when intake workloads belong to a bounded team on Business/Enterprise (Trigger a workflow with an intake webhook, Authentication & API Keys).
Editors
Cursor / Claude Code locally → usually user. tied to named workstation: revoke when laptop rotates (Route Cursor and Claude Code through Auxot).
Decision table (cheat sheet)
| Caller | Preferred key | Why |
|---|---|---|
| Developer laptop experiment | user. | Dies with person: acceptable blast radius |
| GitHub Actions prod deploy | team. | Pipeline outlives individual SSO |
| Scheduled Lambda → intake | team. | Shared ops + team scope |
| Personal Claude Code session | user. | Identity maps cleanly |
| Shared cron on Bastion | team. | Multiple SSH operators |
Walkthrough
Step 1: Export mental inventory
Whiteboard columns: Service | Env location | Key prefix today | Owner human.
Step 2: Apply the crying test
Any row where two people would wake up if keys vanished tonight → candidate team..
Step 3: Create the missing team keys
Follow Create a shared Team API Key: pick the correct team dimension before saving (wrong team ⇒ wrong data scope downstream).
Step 4: Swap consumers deliberately
Update CI secrets → rerun pipeline dry-run → tail Audit Logs (Trace a failing job end to end) for successful authenticated traffic shape.
Step 5: Revoke old personal keys used as faux-shared infra
Only after consumers prove healthy: screenshot Audit Logs success counts if leadership wants receipts.
Step 6: Encode policy
One internal sentence: “Production automation keys must be team.; personal keys expire with quarterly laptop rotation.”
What’s next
- → Harden your intake webhooks. Operational posture once Bearer lands on shared ingress.
- → Create a shared Team API Key. Create-and-copy mechanics when
team.is new to you. - → Trigger a workflow with an intake webhook. Bearer headers on real POST traffic.
- → Generate your first API key. Personal key hygiene baseline.
- → Unstick your first week in Auxot. When the prefix looks right but callers still get
401or wrong scope — map the five gotchas before you create another key.
Reference
- Pages in Auxot: Settings → API Keys (Personal + Team sections), Settings → Teams → Keys (team-owned key creation path per product layout)
- Manual: Authentication & API Keys, API overview
- Prefixes:
user.(personal),team.(team) - See also: Harden your intake webhooks, Manage your Credentials, Rotate credentials without surprising your agents, Unstick your first week in Auxot, Connect Discord to your agents