# Organization API keys Use the same API keys across your Stripe Organization. If you have multiple Stripe business accounts in an [organization](https://docs.stripe.com/get-started/account/orgs.md), you can configure a single API key at the organization level. Organization-level API keys provide the following functionality: - **Access any account**: Use organization API keys to access resources of any account within the organization. - **Restrict permissions**: Restrict organization API keys to grant read or write permission to only specific resources. - **Centralized management**: Create and manage organization API keys on the [API keys](https://dashboard.stripe.com/org/api-keys/secret) tab of your organization’s Dashboard. ### Behavior Organization API keys are prefixed `sk_org`. Like account-level [restricted API keys](https://docs.stripe.com/keys/restricted-api-keys.md) (RAKs) or secret keys, you can limit their permissions, and they support sandboxes and live mode. Organization API keys are different from account-level API keys in several ways: - All organization API keys are secrets. Unlike accounts, organizations don’t have publishable API keys. - Organization API keys all have the same `sk_org` prefix, regardless of their permission levels. (There’s no `rk_org` prefix.) - All API requests made with an organization API key must include the `Stripe-Context` header to identify the affected account. - All API requests made with an organization API key must include the `Stripe-Version` header to ensure consistency and predictability across your organization’s integrations. ### Security considerations Because organization API keys are secrets, you must follow [best practices](https://docs.stripe.com/keys-best-practices.md) to store and use them safely. Use the same precautions you’d use for a restricted or secret API key. Use an organization API key only when you need to perform operations across multiple accounts or on the organization itself. Don’t use an organization API key if you need to access only one account. ### Use organization API keys Your code or the Stripe SDK sends your organization API key as a bearer token in an `Authorization` header, the same way you’d use a restricted or secret API key. When you use an organization API key, you must also: - Specify an API version by including a `Stripe-Version` header. When you use a [Stripe SDK](https://docs.stripe.com/sdks/set-version.md), the SDK automatically sets the API version. - Identify the account affected by the API request by including the `Stripe-Context` header. For example, given the following organization structure: ``` Organization (org_6SD3oI0eSQemPzdmaGLJ5j6) ├── Platform account (acct_1R3fqDP6919yCiFv) | └── Connected account (acct_1032D82eZvKYlo2C) └── Standalone account (acct_1aTnTtAAB0hHJ26p) ``` You can use the organization API key to access the balance of the standalone account. You can also use the same key to make the same call for the platform connected account. ```curl curl https://api.stripe.com/v1/balance \ -u {{ORG_SECRET_KEY}}: \ -H "Stripe-Version: {{STRIPE_API_VERSION}}" \ -H "Stripe-Context: {{CONTEXT_ID}}" ``` In the preceding code example, replace `{{ORG_SECRET_KEY}}` with an organization API key and replace `{{CONTEXT}}` with the relevant value from the organization structure above: - For the standalone account, use `acct_1aTnTtAAB0hHJ26p`. - For the connected account, use a path that identifies both the platform and the connected account, following the format `acct_1R3fqDP6919yCiFv/acct_1032D82eZvKYlo2C`. You must specify the relevant account using the context and the API version in any API request using an organization key. Organizations don’t have publishable API keys because they can’t accept payments. You can use your organization API key to create a PaymentIntent for any account in your organization, but you must use existing account-specific publishable keys for client-side operations.