COMING SOON - The application key APIs are under development, and will be available soon.

Application Keys

Application keys control access to your B2 account. You can get the master application key for your account from the B2 Cloud Storage Buckets page on the Backblaze web site.

The master key for your account has complete access. It's a good idea when deploying a key, on a server or to an app, to create a key with fewer capabilities. You can use b2_create_key to create an application key with specific capabilities. If you want, it can be limited to a single storage bucket, or even to certain files within a bucket. For example, you can create a key that can only upload files to a single bucket.

It is fine to make a lot of application keys. If you are creating a cell phone app and want to make a key for each of your customers, that's fine. The current limit lets you create 100 million keys per account. (Talk to us if you need more.)

The API calls related to application keys are:

Using Application Keys

The sequence of actions to access B2 is:

  • Log into your account, and create the master application key for the account. This master key is good until a new master key is created. Creating a new master key invalidates the old one.
  • Use the master key with b2_authorize_account to create an authorization token that is capable of creating application keys.
  • Create an application key with the capabilities you require to access B2. This key is good indefinitely, unless you set an expiration time.
  • Use the new application key to get an authorization token that can be use to access the B2 APIs. Authorization tokens are only good for 24 hours. You can use the application key to make new authorization tokens as they expire.

Each application key grants access to different capabilities in B2. The authorization token you get when you use an application key is limited to the capabilities of the application key.

Managing Application Keys

You can create new keys with b2_create_key, list all of the existing keys with b2_list_keys, and delete keys with b2_delete_key.

When you create a new application key, the response contains the actual key string, which looks like: N2Zug0evLcHDlh_L0Z0AJhiGGdY. This is the only time you will get they key string. If you lose it, you will need to create a new application key. There is no way to retrieve the key string for an existing key.

You can assign a name to a new application key, but the name is only for your use. It is not possible to look up a key by name. There is no requirement that names are unique.

Application keys can have expiration times. Once a key expires, it ceases to exist. Expired keys can no longer be used to generate auth tokens, and will no longer be listed by b2_list_keys.

COMING NOT QUITE SO SOON - The Backblaze web site will let you create and manage your application keys.


Each application key is associated with a set of capabilities, and each of those capabilities give you access to some of the B2 APIs. These are all of the capabilities, and their associated APIs:

Bucket Restriction

An application key can be restricted to one bucket. All access to all other buckets will be blocked, and the b2_list_buckets call will return just that one bucket.

Application keys that are restricted to a bucket can only access these capabilities:

  • listBuckets
  • listFiles
  • readFiles
  • shareFiles
  • writeFiles
  • deleteFiles

Application keys can also be restricted to the files in a bucket matching a file name prefix. Listing files will only return matching files. Reading, writing, and deleteing are only allowed for matching files.