> ## Documentation Index
> Fetch the complete documentation index at: https://docs.anchorage.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Permission groups and API keys

> Configure the permissions and API keys needed for transfers, withdrawals, and trusted destination management.

An **API key** authenticates requests. A **permission group** controls which vaults and operations the keys in it can use. Move-money setup is mostly a matter of putting the right permissions on the right group, then activating a key against it.

## Permission levels

* **Global permissions** apply across all your vaults (for example, `Initiate withdrawals`).
* **Vault-level permissions** apply only to the selected vault or its wallets (for example, `Transfer funds`).

## Move-money permissions

| Permission                                      | Level  | Used for                                                        |
| :---------------------------------------------- | :----- | :-------------------------------------------------------------- |
| `Read`                                          | Vault  | Reading balances and transactions.                              |
| `Create address`                                | Vault  | Creating wallets and deposit addresses.                         |
| `Transfer funds (within Anchorage Digital)`     | Vault  | Internal transfers from that vault.                             |
| `Transfer funds (outside of Anchorage Digital)` | Vault  | External transfers from that vault.                             |
| `Initiate withdrawals`                          | Global | Withdrawals to external destinations (each still needs quorum). |
| `Manage trusted destinations`                   | Global | Creating and managing trusted destinations.                     |
| `Deposit attribution`                           | Global | Attributing deposits as known or spam.                          |
| `Configure webhooks`                            | Global | Managing webhooks.                                              |

## Activation and segregation

* Keys with external transfer or withdrawal permissions require quorum approval before they can be used.
* Keep internal and external transfer permissions in separate permission groups and API keys. Do not combine them.
* An optional daily transfer limit can be set per permission group, applied across all keys in the group over a rolling 24-hour window. Limits apply per permission group only. Per-account limits spanning multiple endpoints aren't available yet.

Permission groups are created and configured by your organization admin in the web dashboard. See [API keys](/knowledge-base/platform/developers/api-keys) for creating and using keys.
