# Choosing the API Keys owner

Selecting the correct owner for a PandaDoc API Key is crucial, as the key inherits the owner's permissions and impacts API usage limits.

## **Key Considerations**

### **1. Permissions & Role**

* The API Key **inherits** the owner's role and permissions in the workspace.
* User must have an Admin role to become an API Key owner. However, role might be changed after creation. ([Account Roles](https://support.pandadoc.com/en/articles/9715043-account-roles)), which will affect the permission scope of the key.

### **2. Action Attribution**

* API actions are **executed on behalf of the owner**, appearing in audit logs as their actions.
* Select an owner whose activity should be **tracked in reports**.

### **3. Key Deactivation**

* If the **owner is removed from the workspace**, the API Key is **automatically deactivated**.
* Avoid using personal accounts—**use a service account** where possible.

### **4. Rate Limits**

* API rate limits are **per user**. ([Rate Limits](https://developers.pandadoc.com/reference/limit))
* If the same user owns keys across multiple workspaces, their limit is **shared**.
* Distribute key ownership **to avoid hitting limits**.

## **Best Practices**

* Use a **dedicated service accounts** instead of individual users, so the user is never removed.
* For Organization Level operations, create a service workspace where only Org Admin is added to have an API Key no one else can access.
* Avoid having Org Admin as a key's owner in every workspace. Each key owned by Org Admin has an access to User and Workspace Management endpoints.
* Monitor usage and **rotate keys periodically** to maintain security.