API Keys

API keys allow automation and third-party integrations to interact with BadgerPanel without using a user's login credentials. Each key is a scoped token that can be restricted to specific permissions and IP addresses.

Admin API Key Page

Administrators can manage API keys from Admin > Management > API Keys. This page lists all API keys in the system, showing:

Key prefix (the visible portion of the token)
Description
Status (active or inactive)
Last used date
Creation date

Creating an API Key

Navigate to Admin > Management > API Keys and click Create Key.
Enter a Description to identify the key's purpose (e.g., "Billing webhook", "Monitoring bot").
Select the Permissions the key should have. Only grant the minimum permissions needed for the integration.
Optionally add an IP Allowlist to restrict which IP addresses can use the key. Enter one or more IP addresses or CIDR ranges. If left empty, the key can be used from any IP.
Click Create.

The full API key is displayed once after creation. Copy it immediately and store it securely - the full key cannot be retrieved again.

Token Format

API keys use the format bp_ followed by a random string (e.g., bp_a1b2c3d4e5f6...). The bp_ prefix makes it easy to identify BadgerPanel tokens in configuration files and logs. Only the prefix portion is stored in the panel for display purposes - the full token is hashed before storage.

Viewing Key Details

Click any key in the list to view its details:

Prefix - the visible portion of the token for identification
Description - the purpose you entered when creating the key
Permissions - which actions the key is authorized to perform
IP Allowlist - which IP addresses are allowed (if configured)
Last Used - when the key was last used to make an API request
Created - when the key was generated

Toggling Key Status

API keys can be toggled between Active and Inactive from the key detail page. An inactive key is immediately rejected on any API request. This is useful for temporarily disabling an integration without permanently deleting the key.

Deleting a Key

To permanently revoke an API key, open the key detail page and click Delete. Deletion is immediate - any integration using the key will start receiving authentication errors right away. Deleted keys cannot be recovered.

Security Best Practices

Do not share keys - Treat API keys like passwords. Each integration should have its own dedicated key.
Use IP allowlists - Restrict keys to known IP addresses whenever possible. This limits the damage if a key is leaked.
Grant minimum permissions - Only assign the permissions an integration actually needs. A monitoring bot does not need server deletion permissions.
Rotate keys periodically - Create a new key, update your integration, then delete the old key. This limits the window of exposure if a key has been compromised.
Disable unused keys - If an integration is no longer in use, deactivate or delete its key immediately.
Monitor last used dates - Keys that have not been used in a long time may be forgotten and should be reviewed for deletion.

Next Steps

User Management - managing user accounts
Roles and Permissions - understanding permission scopes
Server Management - managing servers via the panel

API Keys ​

Admin API Key Page ​

Creating an API Key ​

Token Format ​

Viewing Key Details ​

Toggling Key Status ​

Deleting a Key ​

Security Best Practices ​

Next Steps ​