Skip to main content
LangWatch uses API keys to authenticate SDK calls, MCP connections, and API requests. All keys are managed from a single place: Settings → API Keys.

Ingestion keys vs API keys

LangWatch splits credentials into two concepts, the same way Datadog separates ingest-only API keys from RBAC-scoped application keys. Both are sk-lw-… strings, but they carry very different power:
Ingestion keyAPI key
What it doesWrites traces, and nothing elseReads and manages everything its scope allows
RoleA built-in, write-only ingest-only role granting only traces:createRBAC scopes you pick (personal: your ceiling; service: scope + mode)
ScopeExactly one projectOne or more projects, teams, or the whole organization
Best forSpraying into agent environments, CLIs, and OTLP exporters (Claude Code, Cursor, Claude cowork, …) where you only want to push telemetrySDK setup, MCP, CI/CD, dashboards, automation, anything that reads or changes data
Blast radius if leakedMinimal, it can only create traces in its one project, never read or deleteWhatever its RBAC scope grants, treat it like a password
Because an ingestion key is genuinely write-only, it’s safe to drop into an agent’s environment or a managed-settings file. An ingestion template mints one for you and wires it into the tool’s OTEL_EXPORTER_OTLP_HEADERS; the langwatch <tool> CLI does the same on your behalf. An ingestion key may also reference an IngestionTemplate (its OTTL / catalog metadata) so the receiver shapes the trace into the canonical gen_ai.* form. The rest of this page covers the RBAC-scoped API keys you create from Settings → API Keys.

Key Types

Personal KeyService Key
Tied toA specific userNo user (org-level)
Best forLocal development, AI assistants (MCP), personal workflowsCI/CD pipelines, automation, service-to-service
PermissionsInherits your RBAC permissions (ceiling model)Scoped to specific projects with ADMIN access
Survives user removalNo — disabled when user leaves the orgYes — independent of any user
Requires LANGWATCH_PROJECT_IDYesYes
Legacy project keys (the LANGWATCH_API_KEY shown on the project setup page) still work and will continue to be supported. They have the project context built in, so they don’t require LANGWATCH_PROJECT_ID. New users should prefer creating keys from Settings → API Keys for better security and access control.

Creating a Personal API Key

Personal keys are ideal for local development, connecting your AI coding assistant via MCP, or any workflow where you want the key tied to your identity.
1

Go to Settings → API Keys

Navigate to Settings → API Keys in your LangWatch dashboard.
2

Click Create API Key

Click the Create API Key button in the top right.
3

Configure the key

  • Type: Select Personal
  • Name: Give it a descriptive name (e.g., “My MCP key”, “Local dev”)
  • Scope: Select which projects, teams, or the whole organization the key can access
  • Expiration: Optionally set an expiration date
  • Permissions: Choose a permission mode:
    • All — inherits your full permissions at each scope
    • Restricted — fine-grained control over individual permission categories (see Permission Categories)
4

Copy your key

After creation, your key is shown once. Copy it and store it securely — you won’t be able to see the full key again.The key format is: sk-lw-<id>_<secret>

Using a Personal Key

Set both LANGWATCH_API_KEY and LANGWATCH_PROJECT_ID in your environment:
.env
LANGWATCH_API_KEY="sk-lw-..."
LANGWATCH_PROJECT_ID="your-project-id"
You can find your project ID in Settings → Projects or in the project URL.

Creating a Service API Key

Service keys are designed for automated systems — CI/CD pipelines, production services, and multi-project setups. They aren’t tied to any user, so they keep working even if team members leave.
Only organization admins can create service keys.
1

Go to Settings → API Keys

Navigate to Settings → API Keys in your LangWatch dashboard.
2

Click Create API Key

Click the Create API Key button in the top right.
3

Configure the key

  • Type: Select Service
  • Name: Give it a descriptive name (e.g., “CI pipeline”, “Production tracing”)
  • Scope: Select which projects, teams, or the whole organization the key can access
  • Expiration: Optionally set an expiration date
  • Permissions: Choose All for full access, or Restricted for fine-grained control
A service key scoped to the organization with All permissions gets org-wide ADMIN access. Always scope to specific projects when possible.
4

Copy your key

After creation, your key is shown once. Copy it and store it securely.

Using a Service Key

Service keys require LANGWATCH_PROJECT_ID so the SDK knows which project to send traces to:
.env
LANGWATCH_API_KEY="sk-lw-..."
LANGWATCH_PROJECT_ID="your-project-id"

Permission Categories

When using Restricted permissions, you can grant read or write access to individual feature areas:
CategoryReadWrite
TracesView traces and spansCreate, update, and share traces
CostView cost analytics
ScenariosView test scenariosCreate and manage scenarios
AnnotationsView annotationsCreate and manage annotations
AnalyticsView analytics dashboardsCreate and manage dashboards
EvaluationsView evaluationsCreate and manage evaluations
DatasetsView datasetsCreate and manage datasets
TriggersView triggersCreate and manage triggers
WorkflowsView workflowsCreate and manage workflows
PromptsView promptsCreate and manage prompts
SecretsView secretsCreate and manage secrets
Audit LogView audit log
TeamView team membersManage team membership
ProjectView project settingsCreate, update, and delete projects
Categories marked with ”—” for write are read-only by design.

Connecting to AI Assistants (MCP)

Personal API keys work with the LangWatch MCP Server to give your AI coding assistant access to LangWatch features — tracing, analytics, prompt management, and more.
1

Create a personal API key

Follow the steps above to create a personal key.
2

Add the MCP server to your editor

claude mcp add langwatch -- npx -y @langwatch/mcp-server --apiKey sk-lw-...
See the full MCP setup guide for all supported editors.
3

Ask your assistant to instrument your code

"Instrument my codebase with LangWatch"

Permissions Model

API key permissions follow a ceiling model: a personal key can never exceed the creating user’s own permissions.
  • If you have ADMIN access and create a key with All permissions, the key gets ADMIN
  • If you have MEMBER access and create a key with All permissions, the key gets MEMBER (not ADMIN)
  • Restricted keys let you manually narrow access to specific permission categories at read or write level
Service keys bypass the user ceiling since they have no associated user — their permissions come directly from their scope and permission mode. For more on roles and permissions, see Access Control (RBAC).

Managing Keys

From the Settings → API Keys page you can:
  • View all keys — see name, type, status, scope, permissions, creation date, last used, and creator
  • Edit a key — update the name, permission mode, or permission categories
  • Revoke a key — immediately disables the key (cannot be undone)
Rotate keys regularly and revoke any that are no longer in use. Set expiration dates on keys used for temporary workflows.