Lybic Docs
Security

Permissions

Understanding API key permissions and access control

API keys inherit permissions from the organization they belong to, allowing access to all resources within that organization.

Organization-Level Access

Each API key is associated with a specific organization. When you create an API key, it automatically has access to:

  • Sandboxes: Create, list, manage, and delete sandboxes
  • Projects: Create, list, and delete projects
  • MCP Servers: Create, list, and manage MCP server configurations
  • Resources: Access organization's packages and usage statistics

API keys cannot access resources from other organizations.

Resource Operations

Sandboxes

API keys can perform the following sandbox operations:

  • Create new sandboxes with specified configurations
  • List all sandboxes in the organization
  • Execute actions within sandboxes
  • Take screenshots and previews
  • Copy files to and from sandboxes
  • Extend sandbox lifetime
  • Delete sandboxes

Projects

API keys can manage projects:

  • Create new projects
  • List all projects in the organization
  • Delete projects

MCP Servers

API keys can configure MCP servers:

  • Create MCP server configurations
  • List MCP server configurations
  • Associate MCP servers with sandboxes
  • Delete MCP server configurations

Access Scope

What API Keys Can Access

API keys provide full access to organization resources through the Lybic API. This includes:

  • All API endpoints documented in the API Reference
  • SDK functionality for automation and integration
  • MCP Server integration for AI applications

What API Keys Cannot Access

API keys cannot perform administrative actions:

  • Modifying organization settings
  • Managing organization members or invitations
  • Purchasing plans or packages
  • Accessing billing information
  • Managing other users' API keys

These actions require Dashboard login with user credentials.

Usage Limitations

Package Consumption

API operations consume resources from your organization's packages:

  • Creating sandboxes consumes sandbox hours
  • Running AI agents consumes agent credits

Monitor your package usage in the Dashboard to ensure sufficient resources.

Security Considerations

Single Organization Scope

Each API key is scoped to a single organization. To access resources in multiple organizations, you need separate API keys for each organization.

Key Isolation

API keys created by different users are isolated. Each user can only view and manage their own API keys through the Dashboard.

No Permission Delegation

API keys cannot create or manage other API keys. Key management must be done through the Dashboard by authenticated users.

Best Practices

Principle of Least Privilege

Create separate API keys for different purposes:

  • Production applications
  • Development and testing
  • CI/CD pipelines
  • Different team members

This allows you to revoke specific keys without disrupting other services.

Regular Audits

Periodically review your API keys in the Dashboard:

  • Delete unused keys
  • Verify key names match their current usage
  • Remove keys for team members who no longer need access

Additional Resources

API Keys

Creating and managing API keys

Best Practices

Security recommendations

Personal API Keys

Managing API keys for Lybic services

Best Practices

Security best practices for API keys

On this page

Organization-Level AccessResource OperationsSandboxesProjectsMCP ServersAccess ScopeWhat API Keys Can AccessWhat API Keys Cannot AccessUsage LimitationsPackage ConsumptionSecurity ConsiderationsSingle Organization ScopeKey IsolationNo Permission DelegationBest PracticesPrinciple of Least PrivilegeRegular AuditsAdditional Resources