Secrets Overview

API Keys

API Keys authenticate requests to the WarpStream control plane. WarpStream defines two kinds of API Keys, Application Keys and Agent Keys. Both can be found in the WarpStream console in the API Keys sidebar view.

Application Keys

Application Keys authenticate requests to WarpStream's public HTTP API. For example they are useful for managing resources inside your account via infrastructure-as-code.

All Application Keys are unrestricted for now. The same key can access any resource in your account that's exposed via WarpStream's public API.

See WarpStream's API reference to learn how to include your Application Key in your API requests.

Agent Keys

Agent Keys authenticate an Agent with the WarpStream control plane in order to manage a BYOC virtual cluster. Each Agent Key is associated with a single cluster. An Agent pointing to a virtual cluster that doesn't match its Agent Key will fail with an authorization error.

Agent Keys apply to BYOC virtual clusters only. When a BYOC virtual cluster is created, a matching Agent Key is generated automatically. Serverless clusters bypass the need to deploy an Agent and therefore do not support Agent Keys.

You can view all Agent Keys in your account in the console's API Keys sidebar view. You can view all the Agent Keys for a given BYOC cluster in the cluster's Agent Keys tab.

See WarpStream's documentation on Agent Configuration to learn how to pass a key to your Agent.

Cluster Credentials

Whereas Agent Keys authenticate your Agent with the WarpStream control plane, cluster credentials authenticate your Kafka client with your Agent using SASL.

By default, SASL is disabled for BYOC virtual clusters because the Agents run in your cloud account. However, you can configure your cluster to require SASL authentication by following the WarpStream documentation on SASL Authentication.