# Can I create read-only API keys?

We don't have a dedicated read-only API key option for **Admins** or **Members**, but you can get the same effect by inviting a **Guest** user to your team and generating an API token on their account.

[Guests](/docs/faq/whats-the-difference-between-admin-member-and-guest-roles) can view your monitors and check results but can't add or remove monitors, change billing, or edit team settings. An API token created by a Guest inherits the same restrictions, so it behaves as a read-only key for monitoring data.

Tip: use an email alias for the Guest account, for example `name+ohdear@domain.com`. That way you don't need a separate mailbox just for automation tokens.

## Read-only access for MCP

Connecting Oh Dear to an AI assistant instead? Our MCP Connected Apps have a proper read-only scope built in. When you authorise the app (under **Settings** > **Connected apps**), you choose read-only or read-write, and you can limit it to specific monitors or status pages. No Guest-account trick needed there.

If you'd like proper scoped API keys for the REST API too, [let us know](/contact). Hearing what you need helps us prioritize.
