# Manage API keys and access

Manage who can access a sandbox.

Use the [Stripe Dashboard](https://dashboard.stripe.com/) to manage sandbox API keys and grant users access to your sandbox.

## Manage API keys

Stripe uses the API keys associated with a sandbox to authenticate API requests to the sandbox environment. We raise an [invalid request error](https://docs.stripe.com/error-handling.md#invalid-request-errors) if you don’t include a key and an [authentication error](https://docs.stripe.com/error-handling.md#authentication-errors) if the key is incorrect or outdated.

Use the [Developer Dashboard](https://dashboard.stripe.com/test/apikeys) within the sandbox to reveal, revoke, and create API keys. Learn more about [API keys](https://docs.stripe.com/keys.md).

## Manage access

You can manage access to each sandbox through direct role assignments in the sandbox or inherited roles assigned outside the sandbox.

### Direct role assignments in a sandbox

You can assign a role directly in a sandbox to give a user access to that sandbox by using [Team management](https://docs.stripe.com/get-started/account/teams.md) in that sandbox or organization sandbox. You can assign a different role in a sandbox than the one the user holds in other sandboxes or in your live account or organization.

To grant access to organization sandboxes, you must assign the user a role in your live organization.

### Control inherited role access

You can control which roles are inherited in account sandboxes by changing the sandbox’s access level. Organization sandboxes always use the **Private** access level. Sandboxes that you create use the **Private** access level by default. Users with the **Admin**, **Super Admin**, or **Sandbox Administrator** role in your live account automatically inherit their roles in all sandboxes. To grant access to organization sandboxes, assign the user a role in your live organization.

- **Private** access level: Team members must be invited to access the sandbox. Only the **Admin**, **Super Admin**, and **Sandbox Administrator** roles are inherited.
- **All team members** access level: Team members with a live mode role inherit access to the sandbox, except users who only have the **Sandbox User** role. You can assign a different role with more permissions in the sandbox.

### Grant users access to all sandboxes in an account

When you assign the Sandbox Administrator role to a team member in your live account, they gain access to every sandbox linked to that account.

To add specific team members to all sandboxes connected to your live account with a direct role assignment:

1. Navigate to your live account in the Dashboard.
1. Click the account picker > **Settings** in the Dashboard.
1. Click **Team and security** > **+ Add member**, then enter one or more email addresses. Select the [Sandbox Administrator role](https://docs.stripe.com/get-started/account/teams/roles.md).
1. Click **Send invites**.

To add all team members to all sandboxes connected to your live account with inherited access:

1. Navigate to your live account in the Dashboard.
1. Click the account picker > **Switch to sandbox** > **Manage sandboxes** in the Dashboard.
1. For each sandbox, click the three dot menu of the sandbox you’d like to give all team members access to and then click **Change access**.
1. Select **All team members**.
1. Click **Save**.

> You must update the access level for each sandbox when you create it. New sandboxes don’t automatically grant access to all team members.

### Grant users access to all sandboxes in an organization

When you assign the Sandbox Administrator role to a team member in your live organization, they gain access to every organization sandbox linked to that organization, as well as every sandbox linked to the live accounts within your organization.

Grant access to an organization sandbox with a direct role assignment only.

To add team members to all sandboxes and organization sandboxes connected to your live organization with a direct role assignment:

1. Navigate to your live organization in the Dashboard.
1. Click the account picker > **Settings** in the Dashboard.
1. Click **Team and security** > **+ Add member**, then enter one or more email addresses. Select the [Sandbox Administrator role](https://docs.stripe.com/get-started/account/teams/roles.md).
1. Click **Send invites**.

### Grant users access for testing only

When you grant a team member the Sandbox User role, you’re granting them access to create sandboxes and delete sandboxes they’ve created.

To invite team members to *only* the sandboxes associated with your live account or organization, without granting access to any details of your live account or organization:

1. Navigate to your live account or organization in the Dashboard.
1. Click the account picker > **Settings** in the Dashboard.
1. Click **Team and security** > **+ Add member**, then enter one or more email addresses. Select the [Sandbox User role](https://docs.stripe.com/get-started/account/teams/roles.md).
1. Click **Send invites**.

### Grant users access to a specific sandbox

To invite team members to a specific sandbox or organization sandbox:

1. Navigate to the sandbox or organization sandboxes in the Dashboard.
1. Click the account picker > **Settings** in the Dashboard.
1. Click **Team and security** > **+ Add member**, then enter one or more email addresses and select a role.
1. Click **Send invites**.

> Stripe automatically assigns the invited user the Sandbox User role in the live account or organization if they don’t already have a live role.

### Revoke user access to sandboxes

To revoke a user’s access:

1. Navigate to the live account, live organization, sandbox, or organization sandbox where that user has a role assignment in the Dashboard.
1. Click the account picker > **Settings** in the Dashboard.
1. Click **Team and security**, then click the overflow menu (⋯).
1. Click **Remove member** to revoke their access.

You can revoke access to a sandbox with the **All team members** access level only by revoking the user’s access to the live account.

## Manage user access to sandboxes with SSO

You can manage access to sandboxes through [single sign-on (SSO)](https://docs.stripe.com/get-started/account/sso/okta.md#assign-stripe-roles) SAML assertion by updating the attribute statements to specify roles within a sandbox.

To access a sandbox through SSO, your team member must have the following:

- A role in the livemode parent (the live organization or live account)
- A role that grants access to sandboxes, in either the specific sandbox or in the live account

The following roles in your live account automatically provide access to sandboxes:

- **Admin and Super Admin**: Admin and Super Admin users can create, manage, and view all sandboxes under the account or organization.
- **Developer**: Developer users can create new sandboxes and access any sandboxes they create themselves.
- **Sandbox Administrator**: Sandbox Administrator users can create, manage, and view all sandboxes under the account or organization. However, this role doesn’t grant any livemode permissions.
- **Sandbox User**: Sandbox User users can only access sandboxes. They have no permissions in the livemode account. Like Developers, they can create new sandboxes and access any sandboxes they create themselves.

For more information about these roles, see [User roles](https://docs.stripe.com/get-started/account/teams/roles.md).

### SSO configuration examples

The following examples demonstrate how to configure your identity provider (IdP) to grant access to sandboxes using SAML attribute statements.

#### Grant users access to a specific sandbox with SSO

To grant a user access to a specific sandbox, your IdP admin needs to send a role attribute with the sandbox account ID in the SAML assertion.

For example, to grant a user the `analyst` role in a specific sandbox account:

```xml
<Attribute Name="Stripe-Role-acct_SANDBOX_ID">
    <AttributeValue>
        analyst
    </AttributeValue>
</Attribute>
```

#### Grant users access for testing

To let your team members create sandboxes and delete the sandboxes they create without granting access to your live account or organization details, assign the `sandbox_user` role in the live account:

```xml
<Attribute Name="Stripe-Role-acct_LIVEMODE_ACCOUNT_ID">
    <AttributeValue>
        sandbox_user
    </AttributeValue>
</Attribute>
```

You can combine the `sandbox_user` role with other roles if you want the user to have additional permissions in the live account:

```xml
<Attribute Name="Stripe-Role-acct_LIVEMODE_ACCOUNT_ID">
    <AttributeValue>
        analyst
    </AttributeValue>
    <AttributeValue>
        sandbox_user
    </AttributeValue>
</Attribute>
```

When users have the `sandbox_user` role, they can create sandboxes and access the sandboxes they’ve created. You don’t need to send a role statement for each individual sandbox.

#### Grant users access to all sandboxes with SSO

To grant a user access to all sandboxes under a live account or organization, assign the `sandbox_admin` role in the live account:

```xml
<Attribute Name="Stripe-Role-acct_LIVEMODE_ACCOUNT_ID">
    <AttributeValue>
        sandbox_admin
    </AttributeValue>
</Attribute>
```

You can combine `sandbox_admin` with additional roles for the live account or organization:

```xml
<Attribute Name="Stripe-Role-acct_LIVEMODE_ACCOUNT_ID">
    <AttributeValue>
        analyst
    </AttributeValue>
    <AttributeValue>
        sandbox_admin
    </AttributeValue>
</Attribute>
```

When a user has the `sandbox_admin` role, they can access all sandboxes. You don’t need to send role statements for individual sandboxes.