Authorization header. You generate these tokens as API keys from the dashboard or the API itself. Each key is scoped to your organization and carries a role that controls what the key is allowed to do.
Key format
All Overwatch API keys follow this format:ow_live_sk_xxxxx) are stored as a non-secret prefix that identifies the key in list views. The full plaintext key is shown only once at creation time — Overwatch stores only a SHA-256 hash and cannot recover the key for you.
Passing your key in requests
Include your API key as a bearer token in theAuthorization header on every request:
Example
$API_KEY with your actual key, or export it as an environment variable before running the command.
Creating an API key
You can create keys two ways: From the dashboard — Go to Settings → Security and click New API key. Choose a name, role, and optional expiration date. From the API — Send aPOST request to /api/v1/api-keys. Only organization owners can create keys. See the API Keys reference for the full request/response shape.
Key expiration
Keys do not expire unless you set anexpiresAt date when creating the key. Once a key expires, all requests made with it return 401 Unauthorized. You can set an expiration at creation time; there is currently no endpoint to extend an expiration after creation.
Roles and permissions
Every key is assigned one of three roles. The role determines which operations the key can perform.| Role | Permissions |
|---|---|
owner | Full access: read, write, manage org, create/delete API keys |
admin | Read and write: create, update, delete monitors and alert channels |
viewer | Read only: list and retrieve monitors, alerts, events, and status |
admin cannot create an owner-level key.
Browser-based sessions are also accepted by all API routes when you are logged into the dashboard. For programmatic and server-side access, API keys are the recommended approach.