Skip to main content

Authentication

Momento uses API keys and session tokens to authenticate requests. API keys are the default long-lived credential and work across all Momento regions. Every SDK client must be given both:

  • the API key, and
  • the correct Momento regional endpoint (cell URL) for your deployment. See the regions page to choose the right one.

If you provide an API key without a regional endpoint, the SDK will fail fast with a clear error.

API keys

API keys authorize access in any Momento region. They support roles so you can scope who can manage or use resources:

  • Owner: full access to all resources, including API keys and account membership.
  • Operator: full access to API/data resources; read-only for account membership.
  • Viewer: read-only access to all resources.

Key management is available in the console and APIs:

  • Generate API keys with a chosen role and optional description. The full key string is shown once; Momento never stores plaintext keys.
  • List API keys to see active keys with metadata (key ID, role, issuedAt, optional expiresAt, description).
  • Revoke API keys to immediately disable use.

If you need fine-grained, short-lived access for end users, issue disposable tokens instead of long-lived keys.

Session tokens

Session tokens are short-lived and intended for data-plane access. Generate them with the Momento Auth client when you need temporary, scoped access to caches or topics. Use these for user sessions or browser-facing workflows.