> ## Documentation Index > Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt > Use this file to discover all available pages before exploring further. # API keys cannot create API keys via impersonation export const plans_0 = "Any" export const deployments_0 = "Any" export const data_plane_version_0 = undefined export const use_case_0 = "Use case - Using impersonation to programmatically create API keys for users so they can only access their own projects" **Applies to:** * Plan - {plans_0} * Deployment - {deployments_0} * {data_plane_version_0} * {use_case_0} ## Summary **Issue:** Calls to the impersonation endpoint to create API keys return `403` with the message `API keys cannot create API keys`. **Cause:** Braintrust intentionally removed the ability for API keys to create other API keys as a security measure. **Resolution:** Use service tokens scoped to the appropriate projects and permission groups, or ask users to create their own API keys upon onboarding. ## Resolution steps ### If you need programmatically scoped access to specific projects #### Step 1: Create a permission group (Enterprise only) In **Settings → Groups**, create a group scoped to the projects your users need access to. > **Note:** Project-scoped permission groups require an Enterprise plan. On Starter or Pro plans, skip to Step 2 and use the service token's built-in permissions instead. #### Step 2: Create a service token In **Settings → Service Tokens**, create a service token. On Enterprise plans, tie it to the permission group from Step 1. On other plans, configure the token's permissions directly. Use this token in place of the per-user API keys you were generating via impersonation. #### Step 3: Update your integration Replace calls to the impersonation endpoint with the service token in your requests. > **Note:** Programmatic creation of service tokens via API key may also be restricted. If you receive a similar `403` error when creating service tokens programmatically, create them manually in the Braintrust UI. ### If you need access scoped to individual user permissions #### Step 1: Invite users to the organization Invite users to your Braintrust org. Their API keys will automatically inherit their assigned permissions. #### Step 2: Ask users to create their own API keys Direct users to **Settings → API Keys** to create a personal key. Include this step in your onboarding instructions. ## Notes * Per-user API keys can no longer be created centrally on behalf of users. * Service tokens with appropriate project permissions are the recommended replacement for scoped programmatic access. * If you previously maintained one service account per user, consider consolidating — per-user service accounts require a permissions-sync layer and create double lifecycle management overhead.