To access the SteelEngine API, you need an API key. SteelEngine supports three types of API keys — personal keys, workspace keys, and organization keys — each with different billing and access behaviors.
Key Types
| Personal Keys | Workspace Keys | Organization Keys | |
|---|---|---|---|
| Billed to | Your individual account | Workspace owner | Workspace owner |
| Scope | Across workspaces you have access to | Shared across the workspace | Explicit grants: chosen workspaces and/or individual workflows |
| Managed by | Each user individually | Workspace admins | Organization admins |
| Permissions | Must be enabled at workspace level | Require admin permissions | Per-grant read/write/admin level |
Workspace admins can disable personal API key usage for their workspace. If disabled, only workspace and organization keys can be used.
Scoped keys
Workspace keys can optionally be narrowed to specific workflows at creation time. Organization keys always carry an explicit scope list — each grant targets a workspace or a single workflow and carries its own permission level (read, write, or admin). A key is rejected with 403 when used outside its grants, and an organization key loses access to a workspace that leaves the organization.
Generating API Keys
To generate a personal or workspace key, open the SteelEngine dashboard and navigate to workspace Settings → API Keys and click Create. Organization keys are managed in Organization Settings → API Keys by organization admins; the workspace settings page also lists which organization keys can reach the current workspace.
API keys are only shown once when generated. Store your key securely — you will not be able to view it again.
Using API Keys
Pass your API key in the X-API-Key header with every request:
curl -X POST https://steelengine.com/api/workflows/{workflowId}/execute \
-H "Content-Type: application/json" \
-H "X-API-Key: YOUR_API_KEY" \
-d '{"inputs": {}}'const response = await fetch(
'https://steelengine.com/api/workflows/{workflowId}/execute',
{
method: 'POST',
headers: {
'Content-Type': 'application/json',
'X-API-Key': process.env.STEELENGINE_API_KEY!,
},
body: JSON.stringify({ inputs: {} }),
}
)import requests
response = requests.post(
"{{APP_URL}}/api/workflows/{workflowId}/execute",
headers={
"Content-Type": "application/json",
"X-API-Key": os.environ["STEELENGINE_API_KEY"],
},
json={"inputs": {}},
)Where Keys Are Used
API keys authenticate access to:
- Workflow execution — run deployed workflows via the API
- Logs API — query workflow execution logs and metrics
- MCP servers — authenticate connections to deployed MCP servers
- SDKs — the Python and TypeScript SDKs use API keys for all operations
Security
- Keys use the
sk-steelengine-prefix and are encrypted at rest - Keys can be revoked at any time from the dashboard
- Use environment variables to store keys — never hardcode them in source code
- For browser-based applications, use a backend proxy to avoid exposing keys to the client
Never expose your API key in client-side code. Use a server-side proxy to make authenticated requests on behalf of your frontend.