--- title: "What are API Subaccounts?" description: "The Subaccount pattern divides an organization's API access by business units, allowing for finer-grain control and monitoring." canonicalUrl: "https://zuplo.com/learning-center/what-are-subaccount-api-keys" pageType: "learning-center" authors: "adrian" tags: "API Best Practices, API Key Authentication, Tutorial" image: "https://zuplo.com/og?text=Exploring%20the%20Subaccount%20Pattern%20for%20APIs" --- ## What are Subaccounts? **Subaccounts** are a design pattern to divide an organization's API access based on business units (ie. departments, teams), allowing for larger organizations to have finer-grain control and tracking over their API integrations. A **Subaccount API Key** (also known as Subkey) is a "virtual" API key that created alongside the Subaccount, and grants that Subaccount (potentially limited) access to the API. Calls from Subaccount keys will all be summed and counted against the organization's overall quotas and rate limits. This means API usage must still be governed and monitored at the organization-level. An analogous concept in the world of finance is [virtual credit cards](https://n26.com/en-eu/virtual-card) which are used to better track purchases/spend at a department level, but can also be safely deleted when compromised without the original credit card being compromised or having to be replaced. ## Benefits of Subaccounts - **Tailored Reporting**: Analytics and reports are presented at the Subaccount key level, meaning your dashboards/reports are automatically scoped to your department. - **Fine-grain Permissions**: Managers of the API can typically assign stricter controls to the Subaccounts (ex. lower quotas or rate limits) based on the expected usage of that subdivision/department. Some APIs even provide the ability to restrict access to certain APIs for Subaccounts. - **Security**: In addition to being able to limit API access at the Subkey level - a Subkey is ideally only used within a single department's code. This significantly reduces the amount of work needed to successfully roll the Subkey - as the surface area of the change(s) will be limited to that department. - **Account Sharing**: Sharing access to an API with the appropriate permissions and access controls is easier with Subaccounts. If you're already part of a Subaccount, you can simply invite a coworker and they will automatically have the correct access. - **Budget Tracking**: Accessing 3rd party APIs can be expensive, and many large organizations need to be able to break down costs at a department level for accounting purposes. Subaccounts (especially 1st party offerings) allow for billing reports at the department level - and may even let departments pay their own bills independently. ## Which Companies Offer Subaccounts? - Email and communication APIs like [Twilio](https://www.twilio.com/docs/iam/api/subaccounts), [Vonage](https://developer.vonage.com/en/account/subaccounts/code-snippets/create-subaccount), [Mailjet](https://documentation.mailjet.com/hc/en-us/articles/360042561974-How-to-create-a-subaccount-or-additional-API-Key), and [Mailgun](https://documentation.mailgun.com/docs/mailgun/user-manual/subaccounts/), which makes sense given almost all departments need to send emails or text messages. - Stock Trading and Crypto Exchange APIs like [Binance](https://dev.binance.vision/t/how-do-i-get-api-keys-from-sub-accounts-through-the-main-account-api/15363) and [BitMEX](https://www.bitmex.com/app/subAccountGuide) use Subaccounts to scope trading abilities and access to certain financial instruments/derivatives. ## Should I Offer Subaccounts? If your API is commonly used across organizations (ex. it performs a common and essential business function like email, image management, analytics) then consider building a 1st party implementation of Subaccounts within your product. I actually already created a [guide to building Subaccount Keys](/learning-center/building-an-api-integration-platform#step-3-managing-authentication-with-subkeys) that should have you up-and-running in 30 minutes. ## What If an API Doesn't Offer Subaccounts? If an API you are integrating with does not offer Subaccounts - you can actually [build a lightweight api integration platform](/learning-center/building-an-api-integration-platform) and issue/manage Subkeys within your organization.