> ## Documentation Index
> Fetch the complete documentation index at: https://braintrust.dev/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Org-wide API key auditing is UI-only

export const plans_0 = "Enterprise"

export const deployments_0 = "Any"

export const data_plane_version_0 = undefined

export const use_case_0 = "Use case - Enterprise org owners needing to programmatically audit or list API keys across all organization members for compliance and key lifecycle management"

<Note>
  **Applies to:**

  * Plan - {plans_0}
  * Deployment - {deployments_0}
  * {data_plane_version_0}
  * {use_case_0}
</Note>

## Summary

**Issue:** Org owners cannot programmatically list API key metadata across all users in the organization. `GET /v1/api_key` returns only the caller's own keys, even for org owners.

**Cause:** The org-wide key listing logic (`makeOwnerApiKeysFullResultSetQuery`) is only exposed through UI server actions, not through the public REST API.

**Resolution:** Use the Braintrust UI to audit org-wide API keys. A dedicated read-only endpoint is a tracked feature request with no current ETA.

***

## Current behavior

| Method                                   | Org-owner access                 |
| ---------------------------------------- | -------------------------------- |
| Braintrust UI                            | View and manage all org API keys |
| `GET /v1/api_key`                        | Returns caller's own keys only   |
| `GET /v1/organization/{org_id}/api-keys` | Does not exist                   |

***

## Workaround

### Using the UI

Org owners can view and manage all API keys under **Settings → API Keys** in the Braintrust UI. This is the only supported method for org-wide key auditing at this time.

### Using user impersonation

The API supports impersonating users to fetch their keys:

1. Call `POST /v1/impersonate` with a target user ID.
2. Use the returned token to call `GET /v1/api_key`.
3. Repeat for each user in the org.

```bash theme={"theme":{"light":"github-light","dark":"github-dark-dimmed"}}
# Step 1: Impersonate a user
POST /v1/impersonate
{ "user_id": "<user_id>" }

# Step 2: List their keys using the impersonation token
GET /v1/api_key
Authorization: Bearer <impersonation_token>
```
