Our monitoring solutions and APIs use API keys to authenticate and verify your identity. These keys allow only approved people in your organization to report data to New Relic, access that data, and configure features. The primary keys are the license key (for reporting data) and the (for working with NerdGraph, our GraphQL API).
Create and manage your API keys from the API keys UI page so you can start observing your data right away
Our main API keys
Key
Details
To view and manage
Read more
License key,
used for data ingest
License keys are used to report almost all data (except for browser and mobile data, which use their own keys). Each key is tied to a specific account and you can create as many as you want.
A user key is required to use NerdGraph, our GraphQL API, which is used for querying data and configuring features. Each user key is tied to a specific user.
If your API keys get into the wrong hands, it can present a security risk. For example:
Someone with your could send arbitrary data to your account.
Someone with one of your team member's user keys could view your New Relic data and make changes to your New Relic account.
You should treat your API keys securely, as you would passwords and other sensitive information. Some recommendations:
For the license key and the browser key, consider implementing a key rotation strategy: creating new keys and deleting old ones on a set schedule. Considerations:
You can't delete the original ingest keys associated with an account, so we recommend creating additional ingest keys that you can later delete. This ensures you're assuming a strong security posture.
Note that this doesn't apply to the mobile app token; you can't delete a token or create additional tokens.
For the :
Instruct your team members to keep their user keys secure.
When members leave your organization, remove their user IDs from New Relic. This disables all the user keys associated with their user ID.
Rotate API keys
Here's how to rotate each of our four most common API keys:
License keys are used to report almost all data (except for browser and mobile monitoring data, which use their own keys). Each key is tied to a specific account and users can create as many as they'd like. License keys can't be updated, and must be deleted and replaced by creating a new key.
By default, all New Relic accounts are created with an original account license key, which is shared by the entire organization. You can't delete this key from the API keys UI, but you can contact New Relic support to rotate your key.
To rotate user-created license keys:
Log in as the New Relic user whose key you’d like to rotate.
Click Create a key in the top-right corner of the API keys page.
Enter a new key name, select Ingest - License for the Key type, add an optional description, and click Save.
Update any scripts or code that reference the old key with the new key value. You can find the new key by clicking the ... icon in the same row as the new key, and then clicking Copy key.
Once any external dependencies have been updated, you can safely delete the old key by clicking the ... icon in the same row as the old key, and then clicking Delete.
You'll see this message in the lower right corner when the key has been successfully deleted:
By default, all New Relic accounts are created with an original account browser key, which is shared by the entire organization. You can't delete this key from the API keys UI, but you can contact New Relic support to rotate your key.
To rotate user-created browser keys:
Log in as the New Relic user whose key you’d like to rotate.
Click Create a key in the top-right corner of the API keys page.
Enter a new key name, select Ingest - Browser for the Key type, add an optional description, and click Save.
Update any scripts or code that reference the old key with the new key value. You can find the new key by clicking the ... icon in the same row as the new key, and then clicking Copy key.
Once any external dependencies have been updated, you can safely delete the old key by clicking the ... icon in the same row as the old key, and then clicking Delete.
You'll see this message in the lower right corner when the key has been successfully deleted:
Mobile monitoring uses a mobile app token to report data, rather than the license key. Mobile app tokens are all unique and re-generated each time an application is registered to NR1. To rotate mobile keys associated with your app, re-authorize the app in New Relic.
New Relic user keys, sometimes referred to as "personal API keys," are required for using NerdGraph and our REST API. Keys can belong to the organization or a specific user.
You can find user keys for your account in the API keys UI at one.newrelic.com/api-keys (or one.eu.newrelic.com/api-keys for our EU data center). You'll only see keys you have permission to use, unless you have All product admin permissions or a custom role that enables you to see those keys.
Important
If you believe a user key has been compromised, you should rotate all keys associated with that user or created by that user.
To rotate your user key, you'll create a new key, update references to the old key in your software, and then delete the old key. To rotate keys in the UI:
Log in as the New Relic user whose key you’d like to rotate.
Click Create a key in the top-right corner of the API keys page.
Enter a new key name, select User for the Key type, add an optional description, and click Save.
Update any scripts or code that reference the old key with the new key value. You can find the new key by clicking the ... icon in the same row as the new key, and then clicking Copy key.
Once any external dependencies have been updated, you can safely delete the old key by clicking the ... icon in the same row as the old key, and then clicking Delete.
You'll see this message in the lower right corner when the key has been successfully deleted:
We also have several older or less common API key type. To rotate these keys:
These are older keys that are not recommended for use by customers, but are still supported by New Relic. These keys are used for ingesting data via our metric, event, logs, and trace APIs and apply to the entire organization.
To rotate these keys:
Log in to New Relic on an account with admin permissions.
On the left side of the page, find the Looking for other keys? section and click REST API key.
Click Delete REST API Key.
Pixie API keys are used to authenticate custom applications to the Pixie platform. Pixie API keys can't be modified. To rotate Pixie API keys, you must create a new key, then delete the old one. For more information about Pixie API keys, see Managing API Keys in the Pixie docs.
The Partnership API is not available to your organization unless you're specifically instructed by your New Relic representative that you should use it. For more information about the API, see Partnership API reference.
To view or regenerate your keys, log in to New Relic using your partnership owner credentials, then go to Partnerships > Edit settingss.
Our main key used for data ingest is called the license key. In the API keys UI and in NerdGraph, this key is sometimes referenced as ingest - license.
The license key is required for almost all New Relic data ingest. The exceptions are browser monitoring data (which uses a browser key) and mobile monitoring data (which uses a mobile app token).
The license key is a 40-character hexadecimal string associated with a New Relic account. When you first sign up for New Relic, an organization with a single account and its own license key are created. If more accounts are added, each account starts with its own license key. The license key originally created for an account cannot be deleted but you can create additional license keys that can be managed and deleted, and this is useful for implementing security-practices such as key rotation. If you need to rotate an account's original account license key, contact support.
To restrict a user from being able to view or manage license keys, assign them a role without those permissions: original user model | newer user model.
Browser monitoring uses a browser key to report data, rather than the license key. The browser key is used to associate data from the browser monitoring agent to your account.
You can't manage or delete the original browser key created when your account was created, but you can create new browser keys and delete those keys. For assistance rotating an account's original browser key, contact support.
Mobile monitoring uses a mobile app token to report data, rather than the license key. See Mobile app token for more information.
New Relic user keys, sometimes referred to as "personal API keys," are required for using NerdGraph and our REST API.
A is tied to a specific New Relic user, and cannot be transferred. The user key allows you to make queries for any accounts you've been granted access to, not just the specific account the key was associated with. If a New Relic user is deleted in New Relic, their user keys are also deactivated and won't work.
Even though they provide a user access to multiple accounts, user keys are linked to a single specific account: the account they were created from. The significance of this is that if an account is deleted, any user keys associated with that account will no longer work. (Also, for our REST APIs, calls are limited to the account associated with that user key.)
Besides the main API keys explained above, we have several other, older API keys that some New Relic customers still use. If you don't already use these keys, you likely don't need to start.
Important
This key is still in use but we highly recommend using the , which can be used for the same things and more.
One of our older New Relic API keys used for data ingest is the Insights insert key, also known as an insert key. Note that the license key is used for the same functionality and more, which is why we recommend the license key over this key.
This key is used for the ingestion of data via our Event API, Log API, Metric API, and Trace API, or via the integrations that use those APIs.
Tips on availability and access:
Because these keys are associated with an account and not a specific user, anyone in the account with access to a key can use it.
As a best practice for security purposes, we recommend you use different Insights insert keys for different applications or different data sources.
The admin key is one of our older, deprecated API keys. As of December 4, 2020, all existing admin keys have been migrated to be user keys.
If you were using admin keys, you don't need to do anything for those keys to remain active. They'll be automatically accessible via the API keys UI, labeled as user keys, and granted identical permissions. You can manage them as you would any user key via the same workflow.
All migrated admin keys will have a note that says Migrated from an admin user key in the key table.
The REST API key is an older key for using our REST API. We now recommend using the user key instead of the REST API key. The user is user-specific as opposed to account-specific, which gives your organization more control over your team members' access. Also, we recommend using our newer API, NerdGraph, instead of the REST API.
Things to consider:
Each New Relic account can have only one REST API key.
We recommend using a user key instead of the REST API key.
We recommend using NerdGraph over the REST API, if possible.
Requires admin-level user permissions. If you don't have access to the REST API key or the REST API explorer, it might be due to lack of permissions. Talk to your New Relic account manager, or use a user key instead.
To find and manage REST API keys: From the user menu, click API keys (get a direct link to the API keys page). Then click REST API key. Before you configure or delete an API key, ensure you are doing so for the correct account.
