Access Control
Rekor provides granular access control through scoped API keys, multi-user organizations, and database tags.
Scoped API Keys
Create API keys with specific permissions scoped to databases, collections, and environments. Each key can only access what its grants allow.
# Full access key
rekor tokens create --name "admin" \
--grants '[{"scope":{"databases":["*"]},"permissions":["*"]}]'
# Read-only key for one database
rekor tokens create --name "client-a-reader" \
--grants '[{
"scope": {"databases": ["client-a"], "environments": ["production"]},
"permissions": ["read:documents", "read:collections"]
}]'
# Agent key for CRUD in production
rekor tokens create --name "client-a-agent" \
--grants '[{
"scope": {"databases": ["client-a"], "environments": ["production"]},
"permissions": ["read:documents", "write:documents", "read:collections"]
}]'Grant Scope
| Field | Description |
|---|---|
databases | Required. ["*"] for all, or specific database IDs. |
collections | Optional. Omit for all collections, or specify IDs. |
environments | Optional. ["production"], ["preview"], or omit for both. |
Permissions
Each resource type has read and write permissions: read:documents, write:documents, read:collections, write:collections, read:relationships, write:relationships, read:attachments, write:attachments, read:hooks, write:hooks, read:triggers, write:triggers, read:databases, write:databases. Use * for all.
Privilege Ceiling
A key can only create child keys with equal or narrower scope. A scoped key cannot escalate to full access.
Key Expiration
Set an expiration date on any key. Expired keys are automatically rejected. Track usage with last_used_at to identify stale keys.
# Create a key that expires in 90 days
rekor tokens create --name "temp-agent" \
--grants '[{"scope":{"databases":["*"]},"permissions":["read:documents"]}]' \
--expires-at 2026-06-25T00:00:00ZManaging Keys
# List all keys (shows status, last used, expiration)
rekor tokens list
# Revoke a key
rekor tokens revoke <token_id>The raw key value is shown only once on creation. Store it securely — it cannot be retrieved later.
Secret Vault
Store API keys, credentials, and other sensitive values at the organization level. All vault secrets are encrypted at rest and masked in API responses.
Use the vault to centralize secrets for external integrations, then reference them from database configurations.
Organizations
Users can belong to multiple organizations. Each organization has its own databases, data, and API keys. Invite team members to collaborate on shared databases.
Database Tags
Tag databases to group them by client, project, team, or any other dimension. Tags are queryable for easy filtering.
# Create with tags
rekor databases create client-a --name "Client A" \
--tags "client:acme,region:us"
# Update tags
rekor databases tag client-a --tags "client:acme,region:us,billing"
# Filter by tag
rekor databases list --tag "client:acme"Tags are simple strings (max 20 per database, 50 characters each). Use a key:value convention for structured grouping.