# API Keys

The WarpStream API allows developers to manage API key permissions directly. This contrasts with the WarpStream console and the WarpStream Terraform provider, where API keys are always exposed as account keys, application keys or agent keys. For more information about this distinction, see [Secrets Overview](https://docs.warpstream.com/warpstream/reference/secrets-overview).

API requests to manage API keys must be authenticated with either an account key or an application key. Account keys can create, list, and delete account keys, as well as application keys in any workspace. Application keys can create, list, and delete application keys and agent keys, but only in their respective workspaces. See [Workspaces and Access Controls](https://docs.warpstream.com/warpstream/reference/manage-console-access/workspaces-and-access-controls).

API key permissions are represented as access grants. An application key is simply an API key with one set of grants, and an agent key is also just an API key with a different set of grants. Grants are specified when creating new API keys. For details, see [the reference to create API keys](https://docs.warpstream.com/warpstream/reference/api-reference/api-keys/create).