Access Control
Rekor provides granular access control through scoped API keys, multi-user organizations, and workspace tags.
Scoped API Keys
Create API keys with specific permissions scoped to workspaces, collections, and environments. Each key can only access what its grants allow.
# Full access key
rekor tokens create --name "admin" \
--grants '[{"scope":{"workspaces":["*"]},"permissions":["*"]}]'
# Read-only key for one workspace
rekor tokens create --name "client-a-reader" \
--grants '[{
"scope": {"workspaces": ["client-a"], "environments": ["production"]},
"permissions": ["read:records", "read:collections"]
}]'
# Agent key for CRUD in production
rekor tokens create --name "client-a-agent" \
--grants '[{
"scope": {"workspaces": ["client-a"], "environments": ["production"]},
"permissions": ["read:records", "write:records", "read:collections"]
}]'Grant Scope
| Field | Description |
|---|---|
workspaces | Required. ["*"] for all, or specific workspace IDs. |
collections | Optional. Omit for all collections, or specify IDs. |
environments | Optional. ["production"], ["preview"], or omit for both. |
Permissions
Each resource type has read and write permissions: read:records, write:records, read:collections, write:collections, read:relationships, write:relationships, read:attachments, write:attachments, read:hooks, write:hooks, read:triggers, write:triggers, read:workspaces, write:workspaces. Use * for all.
Privilege Ceiling
A key can only create child keys with equal or narrower scope. A scoped key cannot escalate to full access.
Key Expiration
Set an expiration date on any key. Expired keys are automatically rejected. Track usage with last_used_at to identify stale keys.
# Create a key that expires in 90 days
rekor tokens create --name "temp-agent" \
--grants '[{"scope":{"workspaces":["*"]},"permissions":["read:records"]}]' \
--expires-at 2026-06-25T00:00:00ZManaging Keys
# List all keys (shows status, last used, expiration)
rekor tokens list
# Revoke a key
rekor tokens revoke <token_id>The raw key value is shown only once on creation. Store it securely — it cannot be retrieved later.
Secret Vault
Store API keys, credentials, and other sensitive values at the organization level. All vault secrets are encrypted at rest and masked in API responses.
Use the vault to centralize secrets for external integrations, then reference them from workspace configurations.
Organizations
Users can belong to multiple organizations. Each organization has its own workspaces, data, and API keys. Invite team members to collaborate on shared workspaces.
Workspace Tags
Tag workspaces to group them by client, project, team, or any other dimension. Tags are queryable for easy filtering.
# Create with tags
rekor workspaces create client-a --name "Client A" \
--tags "client:acme,region:us"
# Update tags
rekor workspaces tag client-a --tags "client:acme,region:us,billing"
# Filter by tag
rekor workspaces list --tag "client:acme"Tags are simple strings (max 20 per workspace, 50 characters each). Use a key:value convention for structured grouping.