Access keys
Create and manage CipherStash access keys for programmatic access to CipherStash Services like ZeroKMS, with member, control, and admin roles and their available scopes.
Access keys are used to authenticate programmatic access to CipherStash CTS and ZeroKMS.
Access keys are primarily needed for production and CI/CD environments. For local development, device-based authentication handles access automatically — no access keys required. See Getting started to set up device auth.
Creating an access key
In the CipherStash Dashboard, you can create an access key by clicking the Create access key button in the Access Keys section for your workspace.
Roles
Each access key is assigned a role that determines its permissions. Use the role with the least required privileges and avoid higher privileges unless absolutely necessary.
Member
The member role is used for authenticating client keys for cryptographic operations.
These are the scopes that are available to the member role:
keyset:list
data_key:generate
data_key:retrieveControl
The control role is used for workspace automation tasks. It has access to the CipherStash API endpoints for creating, listing, enabling, disabling, granting, modifying, and revoking keysets and client keys.
These are the scopes that are available to the control role:
keyset:create
keyset:list
keyset:enable
keyset:disable
keyset:grant
keyset:modify
keyset:revoke
client:listAdmin
In production environments, it is recommended to never use the admin role. Use the member role for authenticating client keys, and the control role for workspace automation tasks.
The admin role is "god" mode. It has access to all the CipherStash API endpoints and can authenticate client keys for cryptographic operations.
These are the scopes that are available to the admin role:
keyset:create
keyset:list
keyset:enable
keyset:disable
keyset:grant
keyset:modify
keyset:revoke
data_key:generate
data_key:retrieve
client:create
client:list
client:delete
access_key:create
access_key:list
access_key:delete