API-keys are created on Organization level and have permissions, which can be specified to suit the use case for the API-key. This means that API-keys can be denied access to certain parts of the Organization and its Workspaces, or a complete feature altogether.