POST
/
apps
/
{app_id}
/
auth
/
tokens
Create API key
curl --request POST \
  --url https://api.onesignal.com/apps/{app_id}/auth/tokens \
  --header 'Authorization: <authorization>' \
  --header 'Content-Type: <content-type>' \
  --data '{
  "name": "<string>",
  "ip_allowlist_mode": "disabled",
  "ip_allowlist": [
    "<string>"
  ]
}'
{
  "token_id": "<string>",
  "formatted_token": "<string>"
}

Overview

Use this API to create a new App API Key (also called a Rich Authentication Token) for a specific OneSignal app. These keys are used to authenticate API requests at the app level and offer enhanced security features, including optional IP allowlisting.
For background on different OneSignal API keys, see Keys & IDs.

How to use this API

Use your Organization API Key, to authenticate. This key is different from the standard REST API key.

IP allowlisting

By default, the API key will not be restricted to any specific IP addresses. To enable IP allowlisting, you need to set the ip_allowlist_mode parameter to explicit and provide a list of allowed IP addresses in the ip_allowlist parameter. If you want to set the explicit range of IPs that can use this API key, add them by setting ip_allowlist_mode to explicit and in ip_allowlist add the IPs in CIDRs notation as an array of string values.

Headers

Content-Type
string
default:application/json
required
Authorization
string
default:Key YOUR_ORGANIZATION_API_KEY
required

Your Organization API key with prefix Key. See Keys & IDs.

Path Parameters

app_id
string
default:YOUR_APP_ID
required

Your OneSignal App ID in UUID v4 format. See Keys & IDs.

Body

application/json
name
string
required

An internal name you set to help organize and track API keys (Rich Authentication Tokens). Maximum 128 characters.

ip_allowlist_mode
enum<string>

Defaults to disabled, can be set to explicit. If set to explicit, a list of network addresses in the form of CIDRs has to be specified in the ip_allowlist parameter.

Available options:
disabled,
explicit
ip_allowlist
string[]

An array of allowed networks in CIDRs notation. Only IPs in those ranges will be permitted to use the API key.

Response

200

token_id
string

The OneSignal-generated ID specific to the API key. This is not the API key itself.

formatted_token
string

The Rich Authentication Token (REST API Key). It is shown only once and won’t be stored in OneSignal. Keep it secret and secure, as it can’t be retrieved later. See Rotate API Key.