Manage many accounts with one API client

This guide shows you how to set up an API client for use with many accounts. Ordinarily, an API client can only access the account in which it is created. The process for setting up the specialized API client that lets you make calls across different APIs and accounts is slightly different than the process for creating a regular API client.

Before you start

Using this specialized API client requires the accountSwitchKey query parameter when you make your call. An accountSwitchKey indicates the specific account you want your call to apply to. If you make a call without the accountSwitchKey, the call applies to your API client’s default account.

This API client mimics your Control Center roles and permissions and lets you manage many accounts programmatically from one API client. To give you this same access, this type of API client uses your Control Center roles and permissions exactly as they appear in Control Center. If you want to change the group and role assignments for the API client, you must change your group and role assignments you have in Luna (or contact an administrator to do it for you). The changes you make to your Luna permissions cascade to the API client automatically and keep it in sync.

Important things to note:

  • Credentials on this type of API client expire on the same schedule as your account’s password rotation policy. You cannot edit the expiration date on these credentials, but you can create new credentials for this client.

  • The credentials, or tokens, work the same for SAML SSO user as they do for non-SAML SSO users.

  • Because this API client uses the same role assignments as the Control Center user the client belongs to, you can follow the same audit trail you normally would and see the API client’s activity just like if it was for the Control Center user.

  • You cannot change the owner of these API clients.

  • The API client no longer works once the user’s Control Center account is locked or disabled.

To use this type of client with an accountSwitchKey, you’ll need to get specific keys from the Identity Management API. Ensure you’ve provisioned the Identity Management API in your client.

Required setup

Before you can make an API call on the Akamai network, you need:

Create an API client

For this exercise, you’ll create one API client to use across multiple accounts.

  1. Launch Identity Management in Control Center (CONFIGURE ⇒ Manage APIs).

  2. Click New API client for me.

  3. Select Use USERNAME’s Control Center roles and permissions, where USERNAME is the user’s login name.

  4. Select Let this client manage multiple accounts, then click Next.

  5. Enter a name and description for the client.

  6. Search for the Diagnostic Tools API and select READ-WRITE for the access level.

  7. Click New credential.

  8. On the New credentials screen, click Download client tokens.

Add credential to edgerc file

Before you can access the API, you need to configure the file that contains the credentials. The credential includes the client token and client secret required to authenticate Akamai API requests.

  1. Open the file you downloaded in a text editor.

  2. Add a line above the credentials as follows: [default].

    NOTE: You can add credentials to this file as needed. Separate each set of credentials with a [header] as shown.

  3. Save the file in your home directory with the name .edgerc.

Make API calls

For this exercise, you’ll use HTTPie to make a simple dig IP address lookup request with the Diagnostic Tools API.

You’ll make the API calls to an account other than the one in which you created your client. Making API calls to another account requires the accountSwitchKey query parameter.

  1. Run the List account switch keys operation to retrieve the accountSwitchKey for the account you want to manage.

  2. Request the locations of servers in the Akamai network that can run the diagnostic tools.

    $ http --auth-type edgegrid -a default: :/diagnostic-tools/v2/ghost-locations/available?accountSwitchKey=B-4-8IR85

    STEP RESULT: You receive a 200 OK response with the location results for the account you passed in the request.

  3. Execute a dig command to get IP address information for in one of the locations. For this example, use Tokyo.

    $ http --auth-type edgegrid -a default: ":/diagnostic-tools/v2/ghost-locations/tokyo-13-japan/dig-info?"

    STEP RESULT: You receive a 200 OK response with the dig results.

  4. Run the Dig command again, choosing a different location ID from the Ghost location results. For more information, refer to Run dig from a Ghost Location.


In this exercise, you learned how to create an API client to manage multiple accounts and use that client to make Akamai API calls. Here are some additional resources to expand your knowledge about Akamai APIs.