API keys (External Applications)
External Applications provide programmatic access to the Checkstack API for non-human clients like CI/CD pipelines, monitoring tools, and custom integrations. This page covers managing applications in the UI. For the wire format, methods, and examples, see Public REST API.
Overview
Section titled “Overview”- Identity type: Applications are RBAC-controlled identities (like users), not trusted services
- Authentication: Bearer token via the
Authorizationheader - Access: Enforced by standard RBAC - applications must be assigned roles with appropriate access rules
Creating an application
Section titled “Creating an application”- Navigate to Authentication Settings -> Applications tab
- Click Create Application
- Enter a name and optional description
- Copy the secret immediately - it will never be shown again
New applications are automatically assigned the applications role. Assign additional roles via the inline checkboxes in the Applications table.
Token format
Section titled “Token format”Application secrets follow a structured format:
ck_{applicationId}_{randomSecret}ck_: Prefix for easy identification in logsapplicationId: UUID identifying the applicationrandomSecret: Cryptographically random token
Example:
ck_a1b2c3d4-e5f6-7890-abcd-ef1234567890_f8k2mN9xZpW3qR7vL5tYRotation
Section titled “Rotation”Use the Regenerate Secret button on the Applications table to rotate a key. The old secret stops working immediately when the new one is generated, so update consumers before regenerating.
Team assignments
Section titled “Team assignments”Applications can be assigned to teams for resource-level access control. When an application is a member of a team, it can access resources that team has been granted access to.
The same Teams page that manages user assignments handles applications - add the application as a team member.
Security best practices
Section titled “Security best practices”- Store secrets securely - Use environment variables or secret managers.
- Rotate secrets periodically - Use the Regenerate Secret button in the UI.
- Apply least privilege - Assign only the roles/access rules needed.
- Monitor usage - Check the Last Used column for inactive applications.
- Delete unused applications - Expired keys stop working immediately.
See also
Section titled “See also”- Public REST API - how to call Checkstack with the API key you create here.
- Authentication strategies - human login configuration alongside machine access.