diff --git a/clients/ts-sdk/openapi.json b/clients/ts-sdk/openapi.json
index 8cbae0d098..41328db0d5 100644
--- a/clients/ts-sdk/openapi.json
+++ b/clients/ts-sdk/openapi.json
@@ -5162,6 +5162,174 @@
         ]
       }
     },
+    "/api/organization/api_key": {
+      "get": {
+        "tags": [
+          "Organization"
+        ],
+        "summary": "Get Organization Api Keys",
+        "description": "Get the api keys which belong to the organization. The actual api key values are not returned, only the ids, names, and creation dates.",
+        "operationId": "get_organization_api_keys",
+        "parameters": [
+          {
+            "name": "TR-Organization",
+            "in": "header",
+            "description": "The organization id to use for the request.",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "format": "uuid"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "JSON body representing the api_key for the organization",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "array",
+                  "items": {
+                    "$ref": "#/components/schemas/ApiKeyRespBody"
+                  }
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Service error relating to creating api_key for the organization",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ErrorResponseBody"
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "ApiKey": [
+              "readonly"
+            ]
+          }
+        ]
+      },
+      "post": {
+        "tags": [
+          "Organization"
+        ],
+        "summary": "Create Organization Api Key",
+        "description": "Create a new api key for the organization. Successful response will contain the newly created api key.",
+        "operationId": "create_organization_api_key",
+        "parameters": [
+          {
+            "name": "TR-Organization",
+            "in": "header",
+            "description": "The organization id to use for the request.",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "format": "uuid"
+            }
+          }
+        ],
+        "requestBody": {
+          "description": "JSON request payload to create a new organization api key",
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/CreateApiKeyReqPayload"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "description": "JSON body representing the api_key for the organization",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/CreateApiKeyResponse"
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Service error relating to creating api_key for the organization",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ErrorResponseBody"
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "ApiKey": [
+              "readonly"
+            ]
+          }
+        ]
+      }
+    },
+    "/api/organization/api_key/{api_key_id}": {
+      "delete": {
+        "tags": [
+          "Organization"
+        ],
+        "summary": "Delete Organization Api Key",
+        "description": "Delete an api key for the auth'ed organization.",
+        "operationId": "delete_organization_api_key",
+        "parameters": [
+          {
+            "name": "api_key_id",
+            "in": "path",
+            "description": "The id of the api key to delete",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "format": "uuid"
+            }
+          },
+          {
+            "name": "TR-Organization",
+            "in": "header",
+            "description": "The organization id to use for the request.",
+            "required": true,
+            "schema": {
+              "type": "string",
+              "format": "uuid"
+            }
+          }
+        ],
+        "responses": {
+          "204": {
+            "description": "Confirmation that the api key was deleted"
+          },
+          "400": {
+            "description": "Service error relating to creating api_key for the organization",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ErrorResponseBody"
+                }
+              }
+            }
+          }
+        },
+        "security": [
+          {
+            "ApiKey": [
+              "readonly"
+            ]
+          }
+        ]
+      }
+    },
     "/api/organization/update_dataset_configs": {
       "post": {
         "tags": [
@@ -6163,100 +6331,6 @@
         ]
       }
     },
-    "/api/user/api_key": {
-      "post": {
-        "tags": [
-          "User"
-        ],
-        "summary": "Create User Api Key",
-        "description": "Create a new api key for the auth'ed user. Successful response will contain the newly created api key. If a write role is assigned the api key will have permission level of the auth'ed user who calls this endpoint.",
-        "operationId": "create_user_api_key",
-        "requestBody": {
-          "description": "JSON request payload to create a new user api key",
-          "content": {
-            "application/json": {
-              "schema": {
-                "$ref": "#/components/schemas/CreateApiKeyReqPayload"
-              }
-            }
-          },
-          "required": true
-        },
-        "responses": {
-          "200": {
-            "description": "JSON body representing the api_key for the user",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/CreateApiKeyResponse"
-                }
-              }
-            }
-          },
-          "400": {
-            "description": "Service error relating to creating api_key for the user",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/ErrorResponseBody"
-                }
-              }
-            }
-          }
-        },
-        "security": [
-          {
-            "ApiKey": [
-              "readonly"
-            ]
-          }
-        ]
-      }
-    },
-    "/api/user/api_key/{api_key_id}": {
-      "delete": {
-        "tags": [
-          "User"
-        ],
-        "summary": "Delete User Api Key",
-        "description": "Delete an api key for the auth'ed user.",
-        "operationId": "delete_user_api_key",
-        "parameters": [
-          {
-            "name": "api_key_id",
-            "in": "path",
-            "description": "The id of the api key to delete",
-            "required": true,
-            "schema": {
-              "type": "string",
-              "format": "uuid"
-            }
-          }
-        ],
-        "responses": {
-          "204": {
-            "description": "Confirmation that the api key was deleted"
-          },
-          "400": {
-            "description": "Service error relating to creating api_key for the user",
-            "content": {
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/ErrorResponseBody"
-                }
-              }
-            }
-          }
-        },
-        "security": [
-          {
-            "ApiKey": [
-              "readonly"
-            ]
-          }
-        ]
-      }
-    },
     "/metrics": {
       "post": {
         "tags": [
@@ -6395,7 +6469,7 @@
         "type": "object",
         "required": [
           "id",
-          "user_id",
+          "organization_id",
           "name",
           "role",
           "created_at",
@@ -6420,12 +6494,9 @@
           "name": {
             "type": "string"
           },
-          "organization_ids": {
-            "type": "array",
-            "items": {
-              "type": "string"
-            },
-            "nullable": true
+          "organization_id": {
+            "type": "string",
+            "format": "uuid"
           },
           "role": {
             "type": "integer",
@@ -6434,10 +6505,6 @@
           "updated_at": {
             "type": "string",
             "format": "date-time"
-          },
-          "user_id": {
-            "type": "string",
-            "format": "uuid"
           }
         },
         "example": {
@@ -6447,12 +6514,9 @@
           ],
           "id": "e3e3e3e3-e3e3-e3e3-e3e3-e3e3e3e3e3e3",
           "name": "Trieve",
-          "organization_ids": [
-            "o1o1o1o1-o1o1-o1o1-o1o1-o1o1o1o1o1o1"
-          ],
+          "organization_id": "e3e3e3e3-e3e3-e3e3-e3e3-e3e3e3e3e3e3",
           "role": 1,
-          "updated_at": "2021-01-01 00:00:00.000",
-          "user_id": "e3e3e3e3-e3e3-e3e3-e3e3-e3e3e3e3e3e3"
+          "updated_at": "2021-01-01 00:00:00.000"
         }
       },
       "AuthQuery": {
@@ -8273,7 +8337,7 @@
               "type": "string",
               "format": "uuid"
             },
-            "description": "The dataset ids which the api key will have access to. If not provided or empty, the api key will have access to all datasets the auth'ed user has access to. If both dataset_ids and organization_ids are provided, the api key will have access to the intersection of the datasets and organizations.",
+            "description": "The dataset ids which the api key will have access to. If not provided or empty, the api key will have access to all datasets in the dataset.",
             "nullable": true
           },
           "default_params": {
@@ -8293,26 +8357,17 @@
             "type": "string",
             "description": "The name which will be assigned to the new api key."
           },
-          "organization_ids": {
-            "type": "array",
-            "items": {
-              "type": "string",
-              "format": "uuid"
-            },
-            "description": "The organization ids which the api key will have access to. If not provided or empty, the api key will have access to all organizations the auth'ed user has access to.",
-            "nullable": true
-          },
           "role": {
             "type": "integer",
             "format": "int32",
-            "description": "The role which will be assigned to the new api key. Either 0 (read), 1 (read and write at the level of the currently auth'ed user). The auth'ed user must have a role greater than or equal to the role being assigned which means they must be an admin (1) or owner (2) of the organization to assign write permissions with a role of 1."
+            "description": "The role which will be assigned to the new api key. Either 0 (read), 1 (Admin) or 2 (Owner). The auth'ed user must have a role greater than or equal to the role being assigned."
           },
           "scopes": {
             "type": "array",
             "items": {
               "type": "string"
             },
-            "description": "The routes which the api key will have access to. If not provided or empty, the api key will have access to all routes the auth'ed user has access to. Specify the routes as a list of strings. For example, [\"GET /api/dataset\", \"POST /api/dataset\"].",
+            "description": "The routes which the api key will have access to. If not provided or empty, the api key will have access to all routes. Specify the routes as a list of strings. For example, [\"GET /api/dataset\", \"POST /api/dataset\"].",
             "nullable": true
           }
         }
diff --git a/clients/ts-sdk/src/functions/index.ts b/clients/ts-sdk/src/functions/index.ts
index 0fbcf774ef..3712086f85 100644
--- a/clients/ts-sdk/src/functions/index.ts
+++ b/clients/ts-sdk/src/functions/index.ts
@@ -7,6 +7,7 @@ import * as fileMethods from "./file/index";
 import * as eventsMethods from "./events/index";
 import * as datasetsMethods from "./datasets/index";
 import * as userMethods from "./user/index";
+import * as organizationMethods from "./organization/index";
 
 export default {
   ...chunkMethods,
@@ -18,4 +19,5 @@ export default {
   ...eventsMethods,
   ...datasetsMethods,
   ...userMethods,
+  ...organizationMethods,
 };
diff --git a/clients/ts-sdk/src/functions/organization/index.ts b/clients/ts-sdk/src/functions/organization/index.ts
new file mode 100644
index 0000000000..21d1194355
--- /dev/null
+++ b/clients/ts-sdk/src/functions/organization/index.ts
@@ -0,0 +1,53 @@
+/**
+ * This includes all the functions you can use to communicate with our organization endpoint
+ *
+ * @module Organization Methods
+ */
+
+import { TrieveSDK } from "../../sdk";
+import { CreateApiKeyReqPayload, CreateApiKeyResponse } from "../../types.gen";
+
+export async function createOrganizationApiKey(
+  /** @hidden */
+  this: TrieveSDK,
+  props: CreateApiKeyReqPayload,
+  signal?: AbortSignal,
+): Promise<CreateApiKeyResponse> {
+  if (!this.organizationId) {
+    throw new Error(
+      "Organization ID is required to create Organization API key",
+    );
+  }
+
+  return this.trieve.fetch(
+    "/api/organization/api_key",
+    "post",
+    {
+      data: props,
+      organizationId: this.organizationId,
+    },
+    signal,
+  );
+}
+
+export async function deleteOrganizationApiKey(
+  /** @hidden */
+  this: TrieveSDK,
+  apiKeyId: string,
+  signal?: AbortSignal,
+): Promise<void> {
+  if (!this.organizationId) {
+    throw new Error(
+      "Organization ID is required to delete Organization API key",
+    );
+  }
+  return this.trieve.fetch(
+    "/api/organization/api_key/{api_key_id}",
+    "delete",
+    {
+      apiKeyId,
+      organizationId: this.organizationId,
+    },
+    signal,
+  );
+}
diff --git a/clients/ts-sdk/src/functions/organization/organization.test.ts b/clients/ts-sdk/src/functions/organization/organization.test.ts
new file mode 100644
index 0000000000..e5d69ab5c2
--- /dev/null
+++ b/clients/ts-sdk/src/functions/organization/organization.test.ts
@@ -0,0 +1,134 @@
+import { describe, beforeAll, test, expectTypeOf, expect } from "vitest";
+import { TRIEVE } from "../../__tests__/constants";
+import { TrieveSDK } from "../../sdk";
+import { CreateApiKeyResponse, ReturnQueuedChunk } from "../../types.gen";
+
+describe("Organization Tests", async () => {
+  let trieve: TrieveSDK;
+  beforeAll(() => {
+    trieve = TRIEVE;
+  });
+
+  test("create an api key and verify it works", async () => {
+    const apiKeyResponse = await trieve.createOrganizationApiKey({
+      role: 1,
+      name: "test suite key",
+    });
+
+    expectTypeOf(apiKeyResponse).toEqualTypeOf<CreateApiKeyResponse>();
+
+    const newTrieve = new TrieveSDK({
+      apiKey: apiKeyResponse.api_key,
+      datasetId: trieve.datasetId,
+    });
+
+    const queuedChunk = await newTrieve.createChunk({
+      chunk_html: "testing hello world",
+      tracking_id: "1234",
+      tag_set: ["test"],
+    });
+
+    expectTypeOf(queuedChunk).toEqualTypeOf<ReturnQueuedChunk>();
+
+    newTrieve.deleteChunkByTrackingId({
+      trackingId: "1234",
+    });
+  });
+
+  test("create an expired api key and verify it does not work", async () => {
+    const apiKeyResponse = await trieve.createOrganizationApiKey({
+      expires_at: new Date(new Date().setDate(new Date().getDate() - 1))
+        .toISOString()
+        .slice(0, 19)
+        .replace("T", " "),
+      role: 1,
+      name: "test suite key",
+    });
+
+    expectTypeOf(apiKeyResponse).toEqualTypeOf<CreateApiKeyResponse>();
+
+    let errorOccurred = false;
+
+    const newTrieve = new TrieveSDK({
+      apiKey: apiKeyResponse.api_key,
+      datasetId: trieve.datasetId,
+    });
+
+    try {
+      await newTrieve.createChunk({
+        chunk_html: "testing hello world",
+        tracking_id: "should_never_work",
+        tag_set: ["test"],
+      });
+
+      newTrieve.deleteChunkByTrackingId({
+        trackingId: "should_never_work",
+      });
+    } catch (e) {
+      errorOccurred = true;
+    }
+
+    expect(errorOccurred).toBe(true);
+  });
+
+  test("create an api key with a filter for test and verify it excludes chunks without the tag", async () => {
+    const apiKeyResponse = await trieve.createOrganizationApiKey({
+      role: 1,
+      name: "test suite key",
+      default_params: {
+        filters: {
+          must: [
+            {
+              field: "tag_set",
+              match_all: ["test"],
+            },
+          ],
+        },
+      },
+    });
+
+    expectTypeOf(apiKeyResponse).toEqualTypeOf<CreateApiKeyResponse>();
+
+    const newTrieve = new TrieveSDK({
+      apiKey: apiKeyResponse.api_key,
+      datasetId: trieve.datasetId,
+    });
+
+    const queuedChunks = await newTrieve.createChunk([
+      {
+        chunk_html: "testing hello world",
+        tracking_id: "not_test",
+        tag_set: ["not_test"],
+      },
+      {
+        chunk_html: "testing hello world",
+        tracking_id: "test",
+        tag_set: ["test"],
+      },
+    ]);
+
+    expectTypeOf(queuedChunks).toEqualTypeOf<ReturnQueuedChunk>();
+
+    await new Promise((r) => setTimeout(r, 10000));
+
+    const chunksResp = await newTrieve.scroll({
+      page_size: 100,
+      filters: {
+        must: [
+          {
+            field: "tag_set",
+            match_all: ["not_test"],
+          },
+        ],
+      },
+    });
+
+    for (const chunk of chunksResp.chunks) {
+      expect(chunk.tag_set).toContain("test");
+    }
+
+    newTrieve.deleteChunkByTrackingId({
+      trackingId: "1234",
+    });
+  });
+});
diff --git a/clients/ts-sdk/src/functions/user/index.ts b/clients/ts-sdk/src/functions/user/index.ts
index e447308102..c71d5b3263 100644
--- a/clients/ts-sdk/src/functions/user/index.ts
+++ b/clients/ts-sdk/src/functions/user/index.ts
@@ -6,8 +6,6 @@
 
 import { TrieveSDK } from "../../sdk";
 import {
-  CreateApiKeyReqPayload,
-  CreateApiKeyResponse,
   UpdateUserOrgRoleReqPayload,
 } from "../../types.gen";
 
@@ -32,38 +30,3 @@ export async function updateUserRole(
   );
 }
 
-export async function createUserApiKey(
-  /** @hidden */
-  this: TrieveSDK,
-  props: CreateApiKeyReqPayload,
-  signal?: AbortSignal
-): Promise<CreateApiKeyResponse> {
-  if (!this.organizationId) {
-    throw new Error("Organization ID is required to create user API key");
-  }
-
-  return this.trieve.fetch(
-    "/api/user/api_key",
-    "post",
-    {
-      data: props,
-    },
-    signal
-  );
-}
-
-export async function deleteUserApiKey(
-  /** @hidden */
-  this: TrieveSDK,
-  apiKeyId: string,
-  signal?: AbortSignal
-): Promise<void> {
-  return this.trieve.fetch(
-    "/api/user/api_key/{api_key_id}",
-    "delete",
-    {
-      apiKeyId,
-    },
-    signal
-  );
-}
\ No newline at end of file
diff --git a/clients/ts-sdk/src/functions/user/user.test.ts b/clients/ts-sdk/src/functions/user/user.test.ts
index 3621fd68d4..91ac280440 100644
--- a/clients/ts-sdk/src/functions/user/user.test.ts
+++ b/clients/ts-sdk/src/functions/user/user.test.ts
@@ -1,6 +1,5 @@
-import { beforeAll, describe, expect, expectTypeOf } from "vitest";
+import { beforeAll, describe, expectTypeOf } from "vitest";
 import { TrieveSDK } from "../../sdk";
-import { CreateApiKeyResponse, ReturnQueuedChunk } from "../../types.gen";
 import { TRIEVE } from "../../__tests__/constants";
 import { test } from "../../__tests__/utils";
 
@@ -9,127 +8,11 @@ describe("User Tests", async () => {
   beforeAll(() => {
     trieve = TRIEVE;
   });
-
-  test("create an api key and verify it works", async () => {
-    const apiKeyResponse = await trieve.createUserApiKey({
-      role: 1,
-      name: "test suite key",
-    });
-
-    expectTypeOf(apiKeyResponse).toEqualTypeOf<CreateApiKeyResponse>();
-
-    const newTrieve = new TrieveSDK({
-      apiKey: apiKeyResponse.api_key,
-      datasetId: trieve.datasetId,
-    });
-
-    const queuedChunk = await newTrieve.createChunk({
-      chunk_html: "testing hello world",
-      tracking_id: "1234",
-      tag_set: ["test"],
-    });
-
-    expectTypeOf(queuedChunk).toEqualTypeOf<ReturnQueuedChunk>();
-
-    newTrieve.deleteChunkByTrackingId({
-      trackingId: "1234",
-    });
-  });
-
-  test("create an expired api key and verify it does not work", async () => {
-    const apiKeyResponse = await trieve.createUserApiKey({
-      expires_at: new Date(new Date().setDate(new Date().getDate() - 1))
-        .toISOString()
-        .slice(0, 19)
-        .replace("T", " "),
-      role: 1,
-      name: "test suite key",
-    });
-
-    expectTypeOf(apiKeyResponse).toEqualTypeOf<CreateApiKeyResponse>();
-
-    let errorOccurred = false;
-
-    const newTrieve = new TrieveSDK({
-      apiKey: apiKeyResponse.api_key,
-      datasetId: trieve.datasetId,
-    });
-
-    try {
-      await newTrieve.createChunk({
-        chunk_html: "testing hello world",
-        tracking_id: "should_never_work",
-        tag_set: ["test"],
-      });
-
-      newTrieve.deleteChunkByTrackingId({
-        trackingId: "should_never_work",
-      });
-    } catch (e) {
-      errorOccurred = true;
-    }
-
-    expect(errorOccurred).toBe(true);
-  });
-
-  test("create an api key with a filter for test and verify it excludes chunks without the tag", async () => {
-    const apiKeyResponse = await trieve.createUserApiKey({
+  test("updateUserRole", async () => {
+    const data = await trieve.updateUserRole({
       role: 1,
-      name: "test suite key",
-      default_params: {
-        filters: {
-          must: [
-            {
-              field: "tag_set",
-              match_all: ["test"],
-            },
-          ],
-        },
-      },
     });
 
-    expectTypeOf(apiKeyResponse).toEqualTypeOf<CreateApiKeyResponse>();
-
-    const newTrieve = new TrieveSDK({
-      apiKey: apiKeyResponse.api_key,
-      datasetId: trieve.datasetId,
-    });
-
-    const queuedChunks = await newTrieve.createChunk([
-      {
-        chunk_html: "testing hello world",
-        tracking_id: "not_test",
-        tag_set: ["not_test"],
-      },
-      {
-        chunk_html: "testing hello world",
-        tracking_id: "test",
-        tag_set: ["test"],
-      },
-    ]);
-
-    expectTypeOf(queuedChunks).toEqualTypeOf<ReturnQueuedChunk>();
-
-    await new Promise((r) => setTimeout(r, 10000));
-
-    const chunksResp = await newTrieve.scroll({
-      page_size: 100,
-      filters: {
-        must: [
-          {
-            field: "tag_set",
-            match_all: ["not_test"],
-          },
-        ],
-      },
-    });
-
-    for (const chunk of chunksResp.chunks) {
-      expect(chunk.tag_set).toContain("test");
-    }
-
-    newTrieve.deleteChunkByTrackingId({
-      trackingId: "1234",
-    });
+    expectTypeOf(data).toBeVoid();
   });
 });
diff --git a/clients/ts-sdk/src/types.gen.ts b/clients/ts-sdk/src/types.gen.ts
index 36472e14ba..8644352ffb 100644
--- a/clients/ts-sdk/src/types.gen.ts
+++ b/clients/ts-sdk/src/types.gen.ts
@@ -52,10 +52,9 @@ export type ApiKeyRespBody = {
     dataset_ids?: Array<(string)> | null;
     id: string;
     name: string;
-    organization_ids?: Array<(string)> | null;
+    organization_id: string;
     role: number;
     updated_at: string;
-    user_id: string;
 };
 
 export type AuthQuery = {
@@ -619,7 +618,7 @@ export type CrawlShopifyOptions = {
 
 export type CreateApiKeyReqPayload = {
     /**
-     * The dataset ids which the api key will have access to. If not provided or empty, the api key will have access to all datasets the auth'ed user has access to. If both dataset_ids and organization_ids are provided, the api key will have access to the intersection of the datasets and organizations.
+     * The dataset ids which the api key will have access to. If not provided or empty, the api key will have access to all datasets in the dataset.
      */
     dataset_ids?: Array<(string)> | null;
     default_params?: ((ApiKeyRequestParams) | null);
@@ -632,15 +631,11 @@ export type CreateApiKeyReqPayload = {
      */
     name: string;
     /**
-     * The organization ids which the api key will have access to. If not provided or empty, the api key will have access to all organizations the auth'ed user has access to.
-     */
-    organization_ids?: Array<(string)> | null;
-    /**
-     * The role which will be assigned to the new api key. Either 0 (read), 1 (read and write at the level of the currently auth'ed user). The auth'ed user must have a role greater than or equal to the role being assigned which means they must be an admin (1) or owner (2) of the organization to assign write permissions with a role of 1.
+     * The role which will be assigned to the new api key. Either 0 (read), 1 (Admin) or 2 (Owner). The auth'ed user must have a role greater than or equal to the role being assigned.
      */
     role: number;
     /**
-     * The routes which the api key will have access to. If not provided or empty, the api key will have access to all routes the auth'ed user has access to. Specify the routes as a list of strings. For example, ["GET /api/dataset", "POST /api/dataset"].
+     * The routes which the api key will have access to. If not provided or empty, the api key will have access to all routes. Specify the routes as a list of strings. For example, ["GET /api/dataset", "POST /api/dataset"].
      */
     scopes?: Array<(string)> | null;
 };
@@ -4224,6 +4219,41 @@ export type UpdateOrganizationData = {
 
 export type UpdateOrganizationResponse = (Organization);
 
+export type GetOrganizationApiKeysData = {
+    /**
+     * The organization id to use for the request.
+     */
+    trOrganization: string;
+};
+
+export type GetOrganizationApiKeysResponse = (Array<ApiKeyRespBody>);
+
+export type CreateOrganizationApiKeyData = {
+    /**
+     * JSON request payload to create a new organization api key
+     */
+    requestBody: CreateApiKeyReqPayload;
+    /**
+     * The organization id to use for the request.
+     */
+    trOrganization: string;
+};
+
+export type CreateOrganizationApiKeyResponse = (CreateApiKeyResponse);
+
+export type DeleteOrganizationApiKeyData = {
+    /**
+     * The id of the api key to delete
+     */
+    apiKeyId: string;
+    /**
+     * The organization id to use for the request.
+     */
+    trOrganization: string;
+};
+
+export type DeleteOrganizationApiKeyResponse = (void);
+
 export type UpdateAllOrgDatasetConfigsData = {
     /**
      * The organization data that you want to create
@@ -4437,24 +4467,6 @@ export type UpdateUserData = {
 
 export type UpdateUserResponse = (void);
 
-export type CreateUserApiKeyData = {
-    /**
-     * JSON request payload to create a new user api key
-     */
-    requestBody: CreateApiKeyReqPayload;
-};
-
-export type CreateUserApiKeyResponse = (CreateApiKeyResponse);
-
-export type DeleteUserApiKeyData = {
-    /**
-     * The id of the api key to delete
-     */
-    apiKeyId: string;
-};
-
-export type DeleteUserApiKeyResponse = (void);
-
 export type GetMetricsResponse = (string);
 
 export type $OpenApiTs = {
@@ -5694,6 +5706,49 @@ export type $OpenApiTs = {
             };
         };
     };
+    '/api/organization/api_key': {
+        get: {
+            req: GetOrganizationApiKeysData;
+            res: {
+                /**
+                 * JSON body representing the api_key for the organization
+                 */
+                200: Array<ApiKeyRespBody>;
+                /**
+                 * Service error relating to creating api_key for the organization
+                 */
+                400: ErrorResponseBody;
+            };
+        };
+        post: {
+            req: CreateOrganizationApiKeyData;
+            res: {
+                /**
+                 * JSON body representing the api_key for the organization
+                 */
+                200: CreateApiKeyResponse;
+                /**
+                 * Service error relating to creating api_key for the organization
+                 */
+                400: ErrorResponseBody;
+            };
+        };
+    };
+    '/api/organization/api_key/{api_key_id}': {
+        delete: {
+            req: DeleteOrganizationApiKeyData;
+            res: {
+                /**
+                 * Confirmation that the api key was deleted
+                 */
+                204: void;
+                /**
+                 * Service error relating to creating api_key for the organization
+                 */
+                400: ErrorResponseBody;
+            };
+        };
+    };
     '/api/organization/update_dataset_configs': {
         post: {
             req: UpdateAllOrgDatasetConfigsData;
@@ -5967,36 +6022,6 @@ export type $OpenApiTs = {
             };
         };
     };
-    '/api/user/api_key': {
-        post: {
-            req: CreateUserApiKeyData;
-            res: {
-                /**
-                 * JSON body representing the api_key for the user
-                 */
-                200: CreateApiKeyResponse;
-                /**
-                 * Service error relating to creating api_key for the user
-                 */
-                400: ErrorResponseBody;
-            };
-        };
-    };
-    '/api/user/api_key/{api_key_id}': {
-        delete: {
-            req: DeleteUserApiKeyData;
-            res: {
-                /**
-                 * Confirmation that the api key was deleted
-                 */
-                204: void;
-                /**
-                 * Service error relating to creating api_key for the user
-                 */
-                400: ErrorResponseBody;
-            };
-        };
-    };
     '/metrics': {
         post: {
             res: {
diff --git a/frontends/dashboard/src/components/ApiKeyGenerateModal.tsx b/frontends/dashboard/src/components/ApiKeyGenerateModal.tsx
index 74a328d80a..62338d96bd 100644
--- a/frontends/dashboard/src/components/ApiKeyGenerateModal.tsx
+++ b/frontends/dashboard/src/components/ApiKeyGenerateModal.tsx
@@ -6,7 +6,6 @@ import {
   JSX,
   Show,
   useContext,
-  createResource,
 } from "solid-js";
 import {
   Dialog,
@@ -17,11 +16,7 @@ import {
   DisclosureButton,
   DisclosurePanel,
 } from "terracotta";
-import {
-  DatasetAndUsage,
-  fromI32ToUserRole,
-  SetUserApiKeyResponse,
-} from "shared/types";
+import {  SetUserApiKeyResponse } from "shared/types";
 import { UserContext } from "../contexts/UserContext";
 import { createToast } from "./ShowToasts";
 import {
@@ -32,7 +27,6 @@ import {
 import { Item, MultiSelect } from "./MultiSelect";
 import { JsonInput, Tooltip } from "shared/ui";
 import { ApiRoutes, RouteScope } from "./Routes";
-import { Organization } from "trieve-ts-sdk";
 import { z } from "zod";
 import {
   chunkFilterSchema,
@@ -51,10 +45,8 @@ export const ApiKeyGenerateModal = (props: {
 
   const [apiKey, setApiKey] = createSignal<string>("");
   const [name, setName] = createSignal<string>("");
-  const [role, setRole] = createSignal<number>(1);
+  const [role, setRole] = createSignal<number>(0);
   const [generated, setGenerated] = createSignal<boolean>(false);
-  const organizations = createMemo(() => userContext?.user?.()?.orgs ?? []);
-  const [selectedOrgs, setSelectedOrgs] = createSignal<Organization[]>([]);
   const [selectedDatasetIds, setSelectedDatasetIds] = createSignal<Item[]>([]);
   const [selectedRoutes, setSelectedRoutes] = createSignal<Item[]>([]);
   const [defaultParams, setDefaultParams] =
@@ -81,44 +73,23 @@ export const ApiKeyGenerateModal = (props: {
     })
     .strict();
 
-  const [datasetsAndUsages] = createResource(
-    selectedOrgs,
-    async (selected) => {
-      const datasetsAndUsages: Item[] = [];
-      const resolved = await Promise.all(
-        selected.map((org) =>
-          fetch(`${apiHost}/dataset/organization/${org.id}`, {
-            credentials: "include",
-            headers: {
-              "TR-Organization": org.id,
-            },
-          }),
-        ),
-      );
-      for (const res of resolved) {
-        if (res.ok) {
-          const data = (await res.json()) as unknown as DatasetAndUsage[];
-          const mapped = data.map((d) => ({
-            name: d.dataset.name,
-            id: d.dataset.id,
-          }));
-          datasetsAndUsages.push(...mapped);
-        }
-      }
-
-      return datasetsAndUsages;
-    },
-    { initialValue: [] },
-  );
+  const datasetItems: Item[] =
+    userContext.orgDatasets()?.map((dataset) => {
+      return {
+        id: dataset.dataset.id,
+        name: dataset.dataset.name,
+      };
+    }) ?? [];
 
   const generateApiKey = () => {
     if (role() !== 0 && !role()) return;
 
-    void fetch(`${apiHost}/user/api_key`, {
+    void fetch(`${apiHost}/organization/api_key`, {
       credentials: "include",
       method: "POST",
       headers: {
         "Content-Type": "application/json",
+        "TR-Organization": userContext.selectedOrg().id,
       },
       body: JSON.stringify({
         name: name(),
@@ -127,10 +98,6 @@ export const ApiKeyGenerateModal = (props: {
           selectedDatasetIds().length > 0
             ? selectedDatasetIds().map((d) => d.id)
             : undefined,
-        organization_ids:
-          selectedOrgs().length > 0
-            ? selectedOrgs().map((org) => org.id)
-            : undefined,
         scopes:
           selectedRoutes().length > 0
             ? selectedRoutes()
@@ -262,13 +229,15 @@ export const ApiKeyGenerateModal = (props: {
                             }}
                             value={role()}
                           >
-                            <Show when={currentUserRole()}>
-                              {(currentRole) => (
-                                <option selected value={1}>
-                                  Read + Write -{" "}
-                                  {fromI32ToUserRole(currentRole())} Level
-                                </option>
-                              )}
+                            <Show when={currentUserRole() >= 2}>
+                              <option selected value={2}>
+                                Owner
+                              </option>
+                            </Show>
+                            <Show when={currentUserRole() >= 1}>
+                              <option selected value={1}>
+                                Admin
+                              </option>
                             </Show>
                             <option value={0}>Read Only</option>
                           </select>
@@ -314,21 +283,6 @@ export const ApiKeyGenerateModal = (props: {
                               }
                             />
                           </div>
-                          <div class="flex items-center space-x-2">
-                            <label
-                              for="organization"
-                              class="block text-sm font-medium leading-6"
-                            >
-                              Organizations:
-                            </label>
-                            <MultiSelect
-                              selected={selectedOrgs()}
-                              items={organizations()}
-                              setSelected={(selected: Organization[]) => {
-                                setSelectedOrgs(selected);
-                              }}
-                            />
-                          </div>
                           <div class="flex items-center space-x-2">
                             <label
                               for="organization"
@@ -337,8 +291,7 @@ export const ApiKeyGenerateModal = (props: {
                               Datasets:
                             </label>
                             <MultiSelect
-                              disabled={selectedOrgs().length === 0}
-                              items={datasetsAndUsages()}
+                              items={datasetItems}
                               selected={selectedDatasetIds()}
                               setSelected={(selected: Item[]) => {
                                 setSelectedDatasetIds(selected);
diff --git a/frontends/dashboard/src/components/ApiKeys.tsx b/frontends/dashboard/src/components/ApiKeys.tsx
index 71a0bb5237..7b8dcd2f9a 100644
--- a/frontends/dashboard/src/components/ApiKeys.tsx
+++ b/frontends/dashboard/src/components/ApiKeys.tsx
@@ -2,11 +2,7 @@ import { Show, createMemo, createSignal, useContext } from "solid-js";
 import { FaRegularTrashCan } from "solid-icons/fa";
 import { ApiKeyGenerateModal } from "./ApiKeyGenerateModal";
 import { UserContext } from "../contexts/UserContext";
-import {
-  ApiKeyRespBody,
-  fromI32ToApiKeyRole,
-  fromI32ToUserRole,
-} from "shared/types";
+import { fromI32ToApiKeyRole, fromI32ToUserRole } from "shared/types";
 import { formatDate } from "../utils/formatters";
 import { createMutation, createQuery } from "@tanstack/solid-query";
 import { useTrieve } from "../hooks/useTrieve";
@@ -16,6 +12,7 @@ import {
   getCoreRowModel,
 } from "@tanstack/solid-table";
 import { TanStackTable } from "shared/ui";
+import { ApiKeyRespBody } from "trieve-ts-sdk";
 
 const colHelp = createColumnHelper<ApiKeyRespBody>();
 
@@ -40,17 +37,22 @@ export const ApiKeys = () => {
   const apiKeysQuery = createQuery(() => ({
     queryKey: ["apiKeys", userContext.selectedOrg().id],
     queryFn: () => {
-      return trieve.fetch<"eject">(`/api/user/api_key`, "get", {}) as Promise<
-        ApiKeyRespBody[]
-      >;
+      return trieve.fetch(`/api/organization/api_key`, "get", {
+        organizationId: userContext.selectedOrg().id,
+      });
     },
   }));
 
   const deleteApiKeyMutation = createMutation(() => ({
     mutationFn: async (id: string) => {
-      return await trieve.fetch("/api/user/api_key/{api_key_id}", "delete", {
-        apiKeyId: id,
-      });
+      return await trieve.fetch(
+        "/api/organization/api_key/{api_key_id}",
+        "delete",
+        {
+          apiKeyId: id,
+          organizationId: userContext.selectedOrg().id,
+        },
+      );
     },
     onSuccess() {
       void apiKeysQuery.refetch();
@@ -83,12 +85,6 @@ export const ApiKeys = () => {
           return info.getValue()?.join(",");
         },
       }),
-      colHelp.accessor("organization_ids", {
-        header: "Organizations",
-        cell: (info) => {
-          return info.getValue()?.join(",");
-        },
-      }),
       colHelp.accessor("created_at", {
         header: "Created At",
         cell: (info) => {
diff --git a/frontends/dashboard/src/pages/dataset/PublicPageSettings.tsx b/frontends/dashboard/src/pages/dataset/PublicPageSettings.tsx
index d142c49128..aaf4454eca 100644
--- a/frontends/dashboard/src/pages/dataset/PublicPageSettings.tsx
+++ b/frontends/dashboard/src/pages/dataset/PublicPageSettings.tsx
@@ -117,14 +117,14 @@ export const PublicPageSettings = () => {
   const publishDataset = async () => {
     const name = `${datasetId()}-pregenerated-search-component`;
     if (!isPublic()) {
-      const response = await trieve.fetch("/api/user/api_key", "post", {
+      const response = await trieve.fetch("/api/organization/api_key", "post", {
         data: {
           name: name,
           role: 0,
           dataset_ids: [datasetId()],
-          organization_ids: [selectedOrg().id],
           scopes: ApiRoutes["Search Component Routes"],
         },
+        organizationId: selectedOrg().id,
       });
 
       await trieve.fetch("/api/dataset", "put", {
diff --git a/server/migrations/2024-11-21-215958_organization_api_key/down.sql b/server/migrations/2024-11-21-215958_organization_api_key/down.sql
new file mode 100644
index 0000000000..0d1047152e
--- /dev/null
+++ b/server/migrations/2024-11-21-215958_organization_api_key/down.sql
@@ -0,0 +1,3 @@
+-- This file should undo anything in `up.sql`
+DROP INDEX organization_api_key_api_key_hash_index;
+DROP TABLE organization_api_key;
\ No newline at end of file
diff --git a/server/migrations/2024-11-21-215958_organization_api_key/up.sql b/server/migrations/2024-11-21-215958_organization_api_key/up.sql
new file mode 100644
index 0000000000..d25ea460f5
--- /dev/null
+++ b/server/migrations/2024-11-21-215958_organization_api_key/up.sql
@@ -0,0 +1,17 @@
+-- Your SQL goes here
+CREATE TABLE organization_api_key (
+	id uuid NOT NULL DEFAULT gen_random_uuid() PRIMARY KEY,
+	organization_id uuid NOT NULL,
+	api_key_hash text NOT NULL UNIQUE,
+	name text NOT NULL DEFAULT 'default'::text,
+	created_at timestamp NOT NULL DEFAULT now(),
+	updated_at timestamp NOT NULL DEFAULT now(),
+	"role" int4 NOT NULL DEFAULT 0,
+	dataset_ids _text NULL,
+	scopes _text NULL,
+    params jsonb NULL,
+	expires_at timestamp NULL,
+    FOREIGN KEY (organization_id) REFERENCES organizations(id)
+);
+
+CREATE INDEX organization_api_key_api_key_hash_index ON organization_api_key USING btree (api_key_hash);
diff --git a/server/src/bin/crawl-worker.rs b/server/src/bin/crawl-worker.rs
index 0b74e0204f..a75e80e581 100644
--- a/server/src/bin/crawl-worker.rs
+++ b/server/src/bin/crawl-worker.rs
@@ -14,7 +14,7 @@ use trieve_server::{
     operators::{
         clickhouse_operator::{ClickHouseEvent, EventQueue},
         dataset_operator::get_dataset_by_id_query,
-        user_operator::hash_function,
+        organization_operator::hash_function,
     },
 };
 use trieve_server::{
diff --git a/server/src/data/models.rs b/server/src/data/models.rs
index 9be33046e9..6b9fed857e 100644
--- a/server/src/data/models.rs
+++ b/server/src/data/models.rs
@@ -3453,13 +3453,15 @@ impl ChunkMetadataTags {
 #[derive(Debug)]
 pub enum ApiKeyRole {
     Read = 0,
-    ReadAndWrite = 1,
+    Admin = 1,
+    Owner = 2,
 }
 
 impl From<i32> for ApiKeyRole {
     fn from(role: i32) -> Self {
         match role {
-            1 => ApiKeyRole::ReadAndWrite,
+            2 => ApiKeyRole::Owner,
+            1 => ApiKeyRole::Admin,
             _ => ApiKeyRole::Read,
         }
     }
@@ -3468,7 +3470,8 @@ impl From<i32> for ApiKeyRole {
 impl From<ApiKeyRole> for i32 {
     fn from(role: ApiKeyRole) -> Self {
         match role {
-            ApiKeyRole::ReadAndWrite => 1,
+            ApiKeyRole::Owner => 2,
+            ApiKeyRole::Admin => 1,
             ApiKeyRole::Read => 0,
         }
     }
@@ -3702,42 +3705,114 @@ impl UserApiKey {
         }
     }
 }
+#[derive(Debug, Serialize, Deserialize, Queryable, Insertable, Selectable, Clone, ToSchema)]
+#[schema(example = json!({
+    "id": "e3e3e3e3-e3e3-e3e3-e3e3-e3e3e3e3e3e3",
+    "user_id": "e3e3e3e3-e3e3-e3e3-e3e3-e3e3e3e3e3",
+    "api_key_hash": "hash",
+    "name": "Trieve",
+    "created_at": "2021-01-01 00:00:00.000",
+    "updated_at": "2021-01-01 00:00:00.000",
+    "role": 1,
+}))]
+#[diesel(table_name = organization_api_key)]
+pub struct OrganizationApiKey {
+    pub id: uuid::Uuid,
+    pub organization_id: uuid::Uuid,
+    pub api_key_hash: String,
+    pub name: String,
+    pub created_at: chrono::NaiveDateTime,
+    pub updated_at: chrono::NaiveDateTime,
+    pub role: i32,
+    pub dataset_ids: Option<Vec<Option<String>>>,
+    pub scopes: Option<Vec<Option<String>>>,
+    pub params: Option<serde_json::Value>,
+    pub expires_at: Option<chrono::NaiveDateTime>,
+}
+
+impl From<OrganizationApiKey> for UserApiKey {
+    fn from(api_key: OrganizationApiKey) -> Self {
+        UserApiKey {
+            id: api_key.id,
+            user_id: uuid::Uuid::default(),
+            api_key_hash: Some(api_key.api_key_hash),
+            name: api_key.name,
+            created_at: api_key.created_at,
+            updated_at: api_key.updated_at,
+            role: api_key.role,
+            blake3_hash: None,
+            dataset_ids: api_key.dataset_ids,
+            organization_ids: Some(vec![Some(api_key.organization_id.to_string())]),
+            scopes: api_key.scopes,
+            params: api_key.params,
+            expires_at: api_key.expires_at,
+        }
+    }
+}
+
+impl OrganizationApiKey {
+    #[allow(clippy::too_many_arguments)]
+    pub fn from_details(
+        organization_id: uuid::Uuid,
+        api_key_hash: String,
+        name: String,
+        role: ApiKeyRole,
+        dataset_ids: Option<Vec<uuid::Uuid>>,
+        scopes: Option<Vec<String>>,
+        params: Option<ApiKeyRequestParams>,
+        expires_at: Option<chrono::NaiveDateTime>,
+    ) -> Self {
+        OrganizationApiKey {
+            id: uuid::Uuid::new_v4(),
+            organization_id,
+            api_key_hash,
+            name,
+            created_at: chrono::Utc::now().naive_local(),
+            updated_at: chrono::Utc::now().naive_local(),
+            role: role.into(),
+            dataset_ids: dataset_ids
+                .map(|ids| ids.into_iter().map(|id| Some(id.to_string())).collect()),
+            scopes: scopes.map(|scopes| scopes.into_iter().map(Some).collect()),
+            params: if params.is_some() {
+                serde_json::to_value(params).ok()
+            } else {
+                None
+            },
+            expires_at,
+        }
+    }
+}
 
 #[derive(Debug, Serialize, Deserialize, Clone, ToSchema)]
 #[schema(example = json!({
     "id": "e3e3e3e3-e3e3-e3e3-e3e3-e3e3e3e3e3e3",
-    "user_id": "e3e3e3e3-e3e3-e3e3-e3e3-e3e3e3e3e3e3",
+    "organization_id": "e3e3e3e3-e3e3-e3e3-e3e3-e3e3e3e3e3e3",
     "name": "Trieve",
     "role": 1,
     "dataset_ids": ["d0d0d0d0-d0d0-d0d0-d0d0-d0d0d0d0d0d0"],
-    "organization_ids": ["o1o1o1o1-o1o1-o1o1-o1o1-o1o1o1o1o1o1"],
     "created_at": "2021-01-01 00:00:00.000",
     "updated_at": "2021-01-01 00:00:00.000",
 }))]
 pub struct ApiKeyRespBody {
     pub id: uuid::Uuid,
-    pub user_id: uuid::Uuid,
+    pub organization_id: uuid::Uuid,
     pub name: String,
     pub role: i32,
     pub dataset_ids: Option<Vec<String>>,
-    pub organization_ids: Option<Vec<String>>,
     pub created_at: chrono::NaiveDateTime,
     pub updated_at: chrono::NaiveDateTime,
 }
 
-impl From<UserApiKey> for ApiKeyRespBody {
-    fn from(api_key: UserApiKey) -> Self {
+impl From<OrganizationApiKey> for ApiKeyRespBody {
+    fn from(api_key: OrganizationApiKey) -> Self {
         ApiKeyRespBody {
             id: api_key.id,
-            user_id: api_key.user_id,
+            organization_id: api_key.organization_id,
             name: api_key.name,
             role: api_key.role,
             dataset_ids: api_key
                 .dataset_ids
                 .map(|ids| ids.into_iter().flatten().collect()),
-            organization_ids: api_key
-                .organization_ids
-                .map(|ids| ids.into_iter().flatten().collect()),
             created_at: api_key.created_at,
             updated_at: api_key.updated_at,
         }
diff --git a/server/src/data/schema.rs b/server/src/data/schema.rs
index 3dff045751..1c6ad3dd5c 100644
--- a/server/src/data/schema.rs
+++ b/server/src/data/schema.rs
@@ -175,6 +175,22 @@ diesel::table! {
     }
 }
 
+diesel::table! {
+    organization_api_key (id) {
+        id -> Uuid,
+        organization_id -> Uuid,
+        api_key_hash -> Text,
+        name -> Text,
+        created_at -> Timestamp,
+        updated_at -> Timestamp,
+        role -> Int4,
+        dataset_ids -> Nullable<Array<Nullable<Text>>>,
+        scopes -> Nullable<Array<Nullable<Text>>>,
+        params -> Nullable<Jsonb>,
+        expires_at -> Nullable<Timestamp>,
+    }
+}
+
 diesel::table! {
     organization_usage_counts (id) {
         id -> Uuid,
@@ -308,6 +324,7 @@ diesel::joinable!(groups_from_files -> chunk_group (group_id));
 diesel::joinable!(groups_from_files -> files (file_id));
 diesel::joinable!(messages -> datasets (dataset_id));
 diesel::joinable!(messages -> topics (topic_id));
+diesel::joinable!(organization_api_key -> organizations (organization_id));
 diesel::joinable!(organization_usage_counts -> organizations (org_id));
 diesel::joinable!(stripe_invoices -> organizations (org_id));
 diesel::joinable!(stripe_subscriptions -> organizations (organization_id));
@@ -333,6 +350,7 @@ diesel::allow_tables_to_appear_in_same_query!(
     groups_from_files,
     invitations,
     messages,
+    organization_api_key,
     organization_usage_counts,
     organizations,
     stripe_invoices,
diff --git a/server/src/handlers/organization_handler.rs b/server/src/handlers/organization_handler.rs
index 1fdda7e88b..6be01fe11b 100644
--- a/server/src/handlers/organization_handler.rs
+++ b/server/src/handlers/organization_handler.rs
@@ -1,12 +1,16 @@
 use super::auth_handler::{AdminOnly, LoggedUser, OwnerOnly};
 use crate::{
-    data::models::{OrganizationWithSubAndPlan, Pool, RedisPool, UserOrganization, UserRole},
+    data::models::{
+        ApiKeyRequestParams, OrganizationWithSubAndPlan, Pool, RedisPool, UserOrganization,
+        UserRole,
+    },
     errors::ServiceError,
     middleware::auth_middleware::{get_role_for_org, verify_admin, verify_owner},
     operators::{
         organization_operator::{
-            create_organization_query, delete_organization_query, get_org_from_id_query,
-            get_org_usage_by_id_query, get_org_users_by_id_query,
+            create_organization_api_key_query, create_organization_query,
+            delete_organization_api_keys_query, delete_organization_query, get_org_from_id_query,
+            get_org_usage_by_id_query, get_org_users_by_id_query, get_organization_api_keys_query,
             update_all_org_dataset_configs_query, update_organization_query,
         },
         user_operator::{add_user_to_organization, remove_user_from_org_query},
@@ -400,3 +404,130 @@ pub async fn update_all_org_dataset_configs(
 
     Ok(HttpResponse::NoContent().finish())
 }
+
+#[derive(Debug, Serialize, Deserialize, ToSchema)]
+pub struct CreateApiKeyReqPayload {
+    /// The name which will be assigned to the new api key.
+    pub name: String,
+    /// The role which will be assigned to the new api key. Either 0 (read), 1 (Admin) or 2 (Owner). The auth'ed user must have a role greater than or equal to the role being assigned.
+    pub role: i32,
+    /// The dataset ids which the api key will have access to. If not provided or empty, the api key will have access to all datasets in the dataset.
+    pub dataset_ids: Option<Vec<uuid::Uuid>>,
+    /// The routes which the api key will have access to. If not provided or empty, the api key will have access to all routes. Specify the routes as a list of strings. For example, ["GET /api/dataset", "POST /api/dataset"].
+    pub scopes: Option<Vec<String>>,
+    /// The expiration date of the api key. If not provided, the api key will not expire. This should be provided in UTC time.
+    pub expires_at: Option<String>,
+    /// The default parameters which will be forcibly used when the api key is given on a request. If not provided, the api key will not have default parameters.
+    pub default_params: Option<ApiKeyRequestParams>,
+}
+
+#[derive(Serialize, Deserialize, ToSchema)]
+pub struct CreateApiKeyResponse {
+    /// The api key which was created. This is the value which should be used in the Authorization header.
+    api_key: String,
+}
+
+/// Create Organization Api Key
+///
+/// Create a new api key for the organization. Successful response will contain the newly created api key.
+#[utoipa::path(
+    post,
+    path = "/organization/api_key",
+    context_path = "/api",
+    tag = "Organization",
+    request_body(content = CreateApiKeyReqPayload, description = "JSON request payload to create a new organization api key", content_type = "application/json"),
+    responses(
+        (status = 200, description = "JSON body representing the api_key for the organization", body = CreateApiKeyResponse),
+        (status = 400, description = "Service error relating to creating api_key for the organization", body = ErrorResponseBody),
+    ),
+    params(
+        ("TR-Organization" = uuid::Uuid, Header, description = "The organization id to use for the request."),
+    ),
+    security(
+        ("ApiKey" = ["readonly"]),
+    )
+)]
+pub async fn create_organization_api_key(
+    _user: LoggedUser,
+    data: web::Json<CreateApiKeyReqPayload>,
+    organization: OrganizationWithSubAndPlan,
+    pool: web::Data<Pool>,
+) -> Result<HttpResponse, actix_web::Error> {
+    let new_api_key =
+        create_organization_api_key_query(organization.organization.id, data.into_inner(), pool)
+            .await
+            .map_err(|err| {
+                ServiceError::BadRequest(format!(
+                    "Failed to set new API key for organization {}",
+                    err
+                ))
+            })?;
+
+    Ok(HttpResponse::Ok().json(CreateApiKeyResponse {
+        api_key: new_api_key,
+    }))
+}
+
+/// Get Organization Api Keys
+///
+/// Get the api keys which belong to the organization. The actual api key values are not returned, only the ids, names, and creation dates.
+#[utoipa::path(
+    get,
+    path = "/organization/api_key",
+    context_path = "/api",
+    tag = "Organization",
+    responses(
+        (status = 200, description = "JSON body representing the api_key for the organization", body = Vec<ApiKeyRespBody>),
+        (status = 400, description = "Service error relating to creating api_key for the organization", body = ErrorResponseBody),
+    ),
+    params(
+        ("TR-Organization" = uuid::Uuid, Header, description = "The organization id to use for the request."),
+    ),
+    security(
+        ("ApiKey" = ["readonly"]),
+    )
+)]
+pub async fn get_organization_api_keys(
+    _user: AdminOnly,
+    organization: OrganizationWithSubAndPlan,
+    pool: web::Data<Pool>,
+) -> Result<HttpResponse, actix_web::Error> {
+    let api_keys = get_organization_api_keys_query(organization.organization.id, pool)
+        .await
+        .map_err(|_err| ServiceError::BadRequest("Failed to get API keys for user".into()))?;
+
+    Ok(HttpResponse::Ok().json(api_keys))
+}
+
+/// Delete Organization Api Key
+///
+/// Delete an api key for the auth'ed organization.
+#[utoipa::path(
+    delete,
+    path = "/organization/api_key/{api_key_id}",
+    context_path = "/api",
+    tag = "Organization",
+    responses(
+        (status = 204, description = "Confirmation that the api key was deleted"),
+        (status = 400, description = "Service error relating to creating api_key for the organization", body = ErrorResponseBody),
+    ),
+    params(
+        ("api_key_id" = uuid::Uuid, Path, description = "The id of the api key to delete"),
+        ("TR-Organization" = uuid::Uuid, Header, description = "The organization id to use for the request."),
+    ),
+    security(
+        ("ApiKey" = ["readonly"]),
+    )
+)]
+pub async fn delete_organization_api_key(
+    _user: AdminOnly,
+    organization: OrganizationWithSubAndPlan,
+    data: web::Path<uuid::Uuid>,
+    pool: web::Data<Pool>,
+) -> Result<HttpResponse, actix_web::Error> {
+    delete_organization_api_keys_query(organization.organization.id, data.into_inner(), pool)
+        .await
+        .map_err(|_err| ServiceError::BadRequest("Failed to get API keys for user".into()))?;
+
+    Ok(HttpResponse::NoContent().finish())
+}
diff --git a/server/src/handlers/user_handler.rs b/server/src/handlers/user_handler.rs
index f4381a4633..df973a7cfc 100644
--- a/server/src/handlers/user_handler.rs
+++ b/server/src/handlers/user_handler.rs
@@ -1,11 +1,8 @@
 use super::auth_handler::LoggedUser;
 use crate::{
-    data::models::{ApiKeyRequestParams, OrganizationWithSubAndPlan, Pool, RedisPool, UserRole},
+    data::models::{OrganizationWithSubAndPlan, Pool, RedisPool, UserRole},
     errors::ServiceError,
-    operators::user_operator::{
-        create_user_api_key_query, delete_user_api_keys_query, get_user_api_keys_query,
-        get_user_by_id_query, update_user_org_role_query,
-    },
+    operators::user_operator::{get_user_by_id_query, update_user_org_role_query},
 };
 use actix_web::{web, HttpResponse};
 use serde::{Deserialize, Serialize};
@@ -97,116 +94,3 @@ pub async fn update_user(
 
     Ok(HttpResponse::NoContent().finish())
 }
-
-#[derive(Debug, Serialize, Deserialize, ToSchema)]
-pub struct CreateApiKeyReqPayload {
-    /// The name which will be assigned to the new api key.
-    pub name: String,
-    /// The role which will be assigned to the new api key. Either 0 (read), 1 (read and write at the level of the currently auth'ed user). The auth'ed user must have a role greater than or equal to the role being assigned which means they must be an admin (1) or owner (2) of the organization to assign write permissions with a role of 1.
-    pub role: i32,
-    /// The dataset ids which the api key will have access to. If not provided or empty, the api key will have access to all datasets the auth'ed user has access to. If both dataset_ids and organization_ids are provided, the api key will have access to the intersection of the datasets and organizations.
-    pub dataset_ids: Option<Vec<uuid::Uuid>>,
-    /// The organization ids which the api key will have access to. If not provided or empty, the api key will have access to all organizations the auth'ed user has access to.
-    pub organization_ids: Option<Vec<uuid::Uuid>>,
-    /// The routes which the api key will have access to. If not provided or empty, the api key will have access to all routes the auth'ed user has access to. Specify the routes as a list of strings. For example, ["GET /api/dataset", "POST /api/dataset"].
-    pub scopes: Option<Vec<String>>,
-    /// The expiration date of the api key. If not provided, the api key will not expire. This should be provided in UTC time.
-    pub expires_at: Option<String>,
-    /// The default parameters which will be forcibly used when the api key is given on a request. If not provided, the api key will not have default parameters.
-    pub default_params: Option<ApiKeyRequestParams>,
-}
-
-#[derive(Serialize, Deserialize, ToSchema)]
-pub struct CreateApiKeyResponse {
-    /// The api key which was created. This is the value which should be used in the Authorization header.
-    api_key: String,
-}
-
-/// Create User Api Key
-///
-/// Create a new api key for the auth'ed user. Successful response will contain the newly created api key. If a write role is assigned the api key will have permission level of the auth'ed user who calls this endpoint.
-#[utoipa::path(
-    post,
-    path = "/user/api_key",
-    context_path = "/api",
-    tag = "User",
-    request_body(content = CreateApiKeyReqPayload, description = "JSON request payload to create a new user api key", content_type = "application/json"),
-    responses(
-        (status = 200, description = "JSON body representing the api_key for the user", body = CreateApiKeyResponse),
-        (status = 400, description = "Service error relating to creating api_key for the user", body = ErrorResponseBody),
-    ),
-    security(
-        ("ApiKey" = ["readonly"]),
-    )
-)]
-pub async fn create_user_api_key(
-    user: LoggedUser,
-    data: web::Json<CreateApiKeyReqPayload>,
-    pool: web::Data<Pool>,
-) -> Result<HttpResponse, actix_web::Error> {
-    let new_api_key = create_user_api_key_query(user.id, data.into_inner(), pool)
-        .await
-        .map_err(|_err| ServiceError::BadRequest("Failed to set new API key for user".into()))?;
-
-    Ok(HttpResponse::Ok().json(CreateApiKeyResponse {
-        api_key: new_api_key,
-    }))
-}
-
-/// Get User Api Keys
-///
-/// Get the api keys which belong to the auth'ed user. The actual api key values are not returned, only the ids, names, and creation dates.
-#[utoipa::path(
-    post,
-    path = "/user/api_key",
-    context_path = "/api",
-    tag = "User",
-    responses(
-        (status = 200, description = "JSON body representing the api_key for the user", body = Vec<ApiKeyRespBody>),
-        (status = 400, description = "Service error relating to creating api_key for the user", body = ErrorResponseBody),
-    ),
-    security(
-        ("ApiKey" = ["readonly"]),
-    )
-)]
-pub async fn get_user_api_keys(
-    user: LoggedUser,
-    pool: web::Data<Pool>,
-) -> Result<HttpResponse, actix_web::Error> {
-    let api_keys = get_user_api_keys_query(user.id, pool)
-        .await
-        .map_err(|_err| ServiceError::BadRequest("Failed to get API keys for user".into()))?;
-
-    Ok(HttpResponse::Ok().json(api_keys))
-}
-
-/// Delete User Api Key
-///
-/// Delete an api key for the auth'ed user.
-#[utoipa::path(
-    delete,
-    path = "/user/api_key/{api_key_id}",
-    context_path = "/api",
-    tag = "User",
-    responses(
-        (status = 204, description = "Confirmation that the api key was deleted"),
-        (status = 400, description = "Service error relating to creating api_key for the user", body = ErrorResponseBody),
-    ),
-    params(
-        ("api_key_id" = uuid::Uuid, Path, description = "The id of the api key to delete"),
-    ),
-    security(
-        ("ApiKey" = ["readonly"]),
-    )
-)]
-pub async fn delete_user_api_key(
-    user: LoggedUser,
-    data: web::Path<uuid::Uuid>,
-    pool: web::Data<Pool>,
-) -> Result<HttpResponse, actix_web::Error> {
-    delete_user_api_keys_query(user.id, data.into_inner(), pool)
-        .await
-        .map_err(|_err| ServiceError::BadRequest("Failed to get API keys for user".into()))?;
-
-    Ok(HttpResponse::NoContent().finish())
-}
diff --git a/server/src/lib.rs b/server/src/lib.rs
index 08a708a9f8..cf7141c007 100644
--- a/server/src/lib.rs
+++ b/server/src/lib.rs
@@ -29,6 +29,7 @@ use diesel_migrations::{embed_migrations, EmbeddedMigrations, MigrationHarness};
 use futures_util::future::BoxFuture;
 use futures_util::FutureExt;
 use minijinja::Environment;
+use once_cell::sync::Lazy;
 use openssl::ssl::SslVerifyMode;
 use openssl::ssl::{SslConnector, SslMethod};
 use postgres_openssl::MakeTlsConnector;
@@ -48,6 +49,12 @@ pub const SECONDS_IN_MINUTE: u64 = 60;
 pub const SECONDS_IN_HOUR: u64 = 60 * SECONDS_IN_MINUTE;
 pub const SECONDS_IN_DAY: u64 = 24 * SECONDS_IN_HOUR;
 
+pub static SECRET_KEY: Lazy<String> =
+    Lazy::new(|| std::env::var("SECRET_KEY").unwrap_or_else(|_| "0123".repeat(16)));
+
+pub static SALT: Lazy<String> =
+    Lazy::new(|| std::env::var("SALT").unwrap_or_else(|_| "supersecuresalt".to_string()));
+
 fn run_migrations(url: &str) {
     use diesel::prelude::*;
 
@@ -142,7 +149,7 @@ impl Modify for SecurityAddon {
             name = "BSL",
             url = "https://github.com/devflowinc/trieve/blob/main/LICENSE.txt",
         ),
-        version = "0.12.1",
+        version = "0.13.0",
     ),
     servers(
         (url = "https://api.trieve.ai",
@@ -191,8 +198,9 @@ impl Modify for SecurityAddon {
         handlers::chunk_handler::bulk_delete_chunk,
         handlers::dataset_handler::get_all_tags,
         handlers::user_handler::update_user,
-        handlers::user_handler::create_user_api_key,
-        handlers::user_handler::delete_user_api_key,
+        handlers::organization_handler::create_organization_api_key,
+        handlers::organization_handler::delete_organization_api_key,
+        handlers::organization_handler::get_organization_api_keys,
         handlers::group_handler::search_over_groups,
         handlers::group_handler::count_group_chunks,
         handlers::group_handler::get_recommended_groups,
@@ -336,8 +344,8 @@ impl Modify for SecurityAddon {
             handlers::group_handler::AddChunkToGroupReqPayload,
             handlers::group_handler::RecommendGroupsResponseBody,
             handlers::user_handler::UpdateUserOrgRoleReqPayload,
-            handlers::user_handler::CreateApiKeyReqPayload,
-            handlers::user_handler::CreateApiKeyResponse,
+            handlers::organization_handler::CreateApiKeyReqPayload,
+            handlers::organization_handler::CreateApiKeyResponse,
             operators::group_operator::GroupsForChunk,
             handlers::file_handler::UploadFileReqPayload,
             handlers::file_handler::UploadFileResult,
@@ -705,7 +713,7 @@ pub fn main() -> std::io::Result<()> {
                 .wrap(
                     SessionMiddleware::builder(
                         redis_store.clone(),
-                        Key::from(operators::user_operator::SECRET_KEY.as_bytes()),
+                        Key::from(SECRET_KEY.as_bytes()),
                     )
                     .session_lifecycle(
                         PersistentSession::default().session_ttl(time::Duration::days(1)),
@@ -967,17 +975,6 @@ pub fn main() -> std::io::Result<()> {
                                     web::resource("")
                                         .route(web::put().to(handlers::user_handler::update_user)),
                                 )
-                                .service(
-                                    web::resource("/api_key")
-                                        .route(web::post().to(handlers::user_handler::create_user_api_key))
-                                        .route(web::get().to(handlers::user_handler::get_user_api_keys))
-                                )
-                                .service(
-                                    web::resource("/api_key/{api_key_id}")
-                                        .route(
-                                            web::delete().to(handlers::user_handler::delete_user_api_key),
-                                        ),
-                                )
                         )
                         .service(
                             web::scope("/chunk_group")
@@ -1112,6 +1109,17 @@ pub fn main() -> std::io::Result<()> {
                                     web::resource("/update_dataset_configs")
                                         .route(web::post().to(handlers::organization_handler::update_all_org_dataset_configs)),
                                 )
+                                .service(
+                                    web::resource("/api_key")
+                                        .route(web::post().to(handlers::organization_handler::create_organization_api_key))
+                                        .route(web::get().to(handlers::organization_handler::get_organization_api_keys))
+                                )
+                                .service(
+                                    web::resource("/api_key/{api_key_id}")
+                                        .route(
+                                            web::delete().to(handlers::organization_handler::delete_organization_api_key),
+                                        ),
+                                )
                                 .service(
                                     web::resource("/{organization_id}/user/{user_id}")
                                         .route(web::delete().to(handlers::organization_handler::remove_user_from_org)),
diff --git a/server/src/middleware/auth_middleware.rs b/server/src/middleware/auth_middleware.rs
index edc6b2ee88..dfaa931601 100644
--- a/server/src/middleware/auth_middleware.rs
+++ b/server/src/middleware/auth_middleware.rs
@@ -13,7 +13,7 @@ use crate::{
         dataset_operator::get_dataset_and_organization_from_dataset_id_query,
         organization_operator::{
             get_arbitrary_org_owner_from_dataset_id, get_arbitrary_org_owner_from_org_id,
-            get_org_from_id_query,
+            get_assumed_user_by_organization_api_key, get_org_from_id_query,
         },
         user_operator::{get_user_by_id_query, get_user_from_api_key_query},
     },
@@ -314,6 +314,18 @@ async fn auth_with_api_key(
             }
         }
 
+        if let Ok((user, api_key)) =
+            get_assumed_user_by_organization_api_key(authen_header.as_str(), pool.clone()).await
+        {
+            if let Some(ref api_key_params) = api_key.params {
+                let params = serde_json::from_value(api_key_params.clone()).unwrap();
+                insert_api_key_payload(req, params).await.map_err(|_| {
+                    ServiceError::BadRequest("Could not insert api key payload".to_string())
+                })?;
+            }
+            return Ok((Some(user), Some(api_key)));
+        }
+
         //TODO: Cache the api key in redis
         if let Ok((user, api_key)) =
             get_user_from_api_key_query(authen_header.as_str(), pool.clone()).await
diff --git a/server/src/operators/organization_operator.rs b/server/src/operators/organization_operator.rs
index 85982fe6ca..68ecf8739b 100644
--- a/server/src/operators/organization_operator.rs
+++ b/server/src/operators/organization_operator.rs
@@ -1,20 +1,24 @@
 use crate::{
     data::models::{
-        Dataset, DatasetConfiguration, Organization, OrganizationUsageCount,
-        OrganizationWithSubAndPlan, Pool, RedisPool, SlimUser, StripePlan, StripeSubscription,
-        User, UserOrganization,
+        ApiKeyRespBody, Dataset, DatasetConfiguration, Organization, OrganizationApiKey,
+        OrganizationUsageCount, OrganizationWithSubAndPlan, Pool, RedisPool, SlimUser, StripePlan,
+        StripeSubscription, User, UserApiKey, UserOrganization,
     },
     errors::ServiceError,
+    handlers::organization_handler::CreateApiKeyReqPayload,
     operators::dataset_operator::soft_delete_dataset_by_id_query,
     randutil,
 };
 use actix_web::{web, HttpRequest};
+use chrono::NaiveDateTime;
+use dateparser::DateTimeUtc;
 use diesel::{
     prelude::*, result::DatabaseErrorKind, sql_query, ExpressionMethods, JoinOnDsl,
     NullableExpressionMethods, SelectableHelper, Table,
 };
 use diesel_async::RunQueryDsl;
 use itertools::Itertools;
+use rand::{distributions::Alphanumeric, Rng};
 use redis::AsyncCommands;
 
 /// Creates a dataset from Name if it doesn't conflict. If it does, then it creates a random name
@@ -654,3 +658,147 @@ pub async fn update_all_org_dataset_configs_query(
 
     Ok(())
 }
+
+pub fn generate_api_key() -> String {
+    let rng = rand::thread_rng();
+    let api_key: String = format!(
+        "tr-{}",
+        rng.sample_iter(&Alphanumeric)
+            .take(32)
+            .map(char::from)
+            .collect::<String>()
+    );
+
+    api_key
+}
+
+pub fn hash_function(password: &str) -> String {
+    blake3::hash(password.as_bytes()).to_string()
+}
+
+pub async fn create_organization_api_key_query(
+    organization_id: uuid::Uuid,
+    data: CreateApiKeyReqPayload,
+    pool: web::Data<Pool>,
+) -> Result<String, ServiceError> {
+    let raw_api_key = generate_api_key();
+    let hashed_api_key = hash_function(&raw_api_key);
+
+    let mut conn = pool.get().await.map_err(|_e| {
+        ServiceError::InternalServerError("Failed to get postgres connection".to_string())
+    })?;
+
+    let expiry = {
+        data.expires_at
+            .clone()
+            .and_then(|ts| -> Option<NaiveDateTime> {
+                ts.parse::<DateTimeUtc>()
+                    .ok()
+                    .map(|date| date.0.naive_utc())
+            })
+    };
+
+    let api_key_struct = OrganizationApiKey::from_details(
+        organization_id,
+        hashed_api_key.clone(),
+        data.name,
+        data.role.into(),
+        data.dataset_ids,
+        data.scopes,
+        data.default_params,
+        expiry,
+    );
+
+    diesel::insert_into(crate::data::schema::organization_api_key::dsl::organization_api_key)
+        .values(&api_key_struct)
+        .execute(&mut conn)
+        .await
+        .map_err(|err| ServiceError::BadRequest(format!("Error setting api key {}", err)))?;
+
+    Ok(raw_api_key)
+}
+
+pub async fn get_organization_api_keys_query(
+    organization_id: uuid::Uuid,
+    pool: web::Data<Pool>,
+) -> Result<Vec<ApiKeyRespBody>, ServiceError> {
+    use crate::data::schema::organization_api_key::dsl as organization_api_key_columns;
+
+    let mut conn = pool.get().await.map_err(|_e| {
+        ServiceError::InternalServerError("Failed to get postgres connection".to_string())
+    })?;
+
+    let api_keys = organization_api_key_columns::organization_api_key
+        .filter(organization_api_key_columns::organization_id.eq(organization_id))
+        .select(OrganizationApiKey::as_select())
+        .load::<OrganizationApiKey>(&mut conn)
+        .await
+        .map_err(|_| ServiceError::BadRequest("Error loading organization api keys".to_string()))?;
+
+    let api_keys = api_keys
+        .into_iter()
+        .map(|api_key| api_key.into())
+        .collect::<Vec<ApiKeyRespBody>>();
+    Ok(api_keys)
+}
+
+pub async fn delete_organization_api_keys_query(
+    organization_id: uuid::Uuid,
+    api_key_id: uuid::Uuid,
+    pool: web::Data<Pool>,
+) -> Result<(), ServiceError> {
+    use crate::data::schema::organization_api_key::dsl as organization_api_key_columns;
+
+    let mut conn = pool.get().await.map_err(|_e| {
+        ServiceError::InternalServerError("Failed to get postgres connection".to_string())
+    })?;
+
+    diesel::delete(
+        organization_api_key_columns::organization_api_key
+            .filter(organization_api_key_columns::organization_id.eq(organization_id))
+            .filter(organization_api_key_columns::id.eq(api_key_id)),
+    )
+    .execute(&mut conn)
+    .await
+    .map_err(|_| ServiceError::BadRequest("Error deleting organization api key".to_string()))?;
+
+    Ok(())
+}
+
+pub async fn get_assumed_user_by_organization_api_key(
+    api_key: &str,
+    pool: web::Data<Pool>,
+) -> Result<(SlimUser, UserApiKey), ServiceError> {
+    use crate::data::schema::organization_api_key::dsl as organization_api_key_columns;
+
+    let mut conn = pool.get().await.map_err(|_e| {
+        ServiceError::InternalServerError("Failed to get postgres connection".to_string())
+    })?;
+
+    let api_key: OrganizationApiKey = organization_api_key_columns::organization_api_key
+        .filter(organization_api_key_columns::api_key_hash.eq(hash_function(api_key)))
+        .select(OrganizationApiKey::as_select())
+        .first::<OrganizationApiKey>(&mut conn)
+        .await
+        .map_err(|_| ServiceError::Unauthorized)?;
+
+    let organization = get_org_from_id_query(api_key.organization_id, pool.clone()).await?;
+
+    let user = SlimUser {
+        id: api_key.organization_id,
+        email: "".to_string(),
+        name: Some("".to_string()),
+        created_at: chrono::Utc::now().naive_utc(),
+        user_orgs: vec![UserOrganization {
+            id: uuid::Uuid::new_v4(),
+            user_id: api_key.organization_id,
+            organization_id: api_key.organization_id,
+            role: api_key.role,
+            created_at: chrono::Utc::now().naive_utc(),
+            updated_at: chrono::Utc::now().naive_utc(),
+        }],
+        orgs: vec![organization.organization],
+    };
+
+    Ok((user, api_key.into()))
+}
diff --git a/server/src/operators/user_operator.rs b/server/src/operators/user_operator.rs
index e85334d71f..f85d990cb4 100644
--- a/server/src/operators/user_operator.rs
+++ b/server/src/operators/user_operator.rs
@@ -1,21 +1,15 @@
 use crate::data::models::{
-    ApiKeyRespBody, ApiKeyRole, Organization, RedisPool, SlimUser, UserApiKey, UserOrganization,
-    UserRole,
+    ApiKeyRole, Organization, RedisPool, SlimUser, UserApiKey, UserOrganization, UserRole,
 };
+use crate::operators::organization_operator::hash_function;
 use crate::{
     data::models::{Pool, User},
     errors::ServiceError,
-    handlers::user_handler::CreateApiKeyReqPayload,
 };
 use actix_web::{web, HttpRequest};
-use argon2::Config;
-use chrono::NaiveDateTime;
-use dateparser::DateTimeUtc;
 use diesel::prelude::*;
-use diesel_async::{scoped_futures::ScopedFutureExt, AsyncConnection, RunQueryDsl};
-use once_cell::sync::Lazy;
-use rand::distributions::Alphanumeric;
-use rand::Rng;
+use diesel_async::scoped_futures::ScopedFutureExt;
+use diesel_async::{AsyncConnection, RunQueryDsl};
 use redis::AsyncCommands;
 
 pub async fn get_user_by_id_query(
@@ -197,80 +191,51 @@ pub async fn update_user_org_role_query(
     Ok(())
 }
 
-pub fn generate_api_key() -> String {
-    let rng = rand::thread_rng();
-    let api_key: String = format!(
-        "tr-{}",
-        rng.sample_iter(&Alphanumeric)
-            .take(32)
-            .map(char::from)
-            .collect::<String>()
-    );
-
-    api_key
-}
-
-pub static SECRET_KEY: Lazy<String> =
-    Lazy::new(|| std::env::var("SECRET_KEY").unwrap_or_else(|_| "0123".repeat(16)));
-
-pub static SALT: Lazy<String> =
-    Lazy::new(|| std::env::var("SALT").unwrap_or_else(|_| "supersecuresalt".to_string()));
-
-pub fn hash_argon2_api_key(password: &str) -> Result<String, ServiceError> {
-    let config = Config {
-        secret: SECRET_KEY.as_bytes(),
-        ..Config::original()
-    };
-    argon2::hash_encoded(password.as_bytes(), SALT.as_bytes(), &config).map_err(|_err| {
-        ServiceError::BadRequest("Error processing password, try again".to_string())
-    })
-}
-
-pub fn hash_function(password: &str) -> String {
-    blake3::hash(password.as_bytes()).to_string()
-}
-
-pub async fn create_user_api_key_query(
-    user_id: uuid::Uuid,
-    data: CreateApiKeyReqPayload,
+pub async fn create_user_query(
+    user_oidc_subject: String,
+    email: String,
+    name: Option<String>,
+    role: UserRole,
+    org_id: uuid::Uuid,
     pool: web::Data<Pool>,
-) -> Result<String, ServiceError> {
-    let raw_api_key = generate_api_key();
-    let hashed_api_key = hash_function(&raw_api_key);
+) -> Result<(User, Vec<UserOrganization>, Vec<Organization>), ServiceError> {
+    use crate::data::schema::user_organizations::dsl as user_organizations_columns;
+    use crate::data::schema::users::dsl as users_columns;
 
     let mut conn = pool.get().await.map_err(|_e| {
         ServiceError::InternalServerError("Failed to get postgres connection".to_string())
     })?;
 
-    let expiry = {
-        data.expires_at
-            .clone()
-            .and_then(|ts| -> Option<NaiveDateTime> {
-                ts.parse::<DateTimeUtc>()
-                    .ok()
-                    .map(|date| date.0.naive_utc())
-            })
-    };
+    let user = User::from_details_with_id(user_oidc_subject, email, name);
+    let user_org = UserOrganization::from_details(user.id, org_id, role);
 
-    let api_key_struct = UserApiKey::from_details(
-        user_id,
-        hashed_api_key.clone(),
-        data.name,
-        data.role.into(),
-        data.dataset_ids,
-        data.organization_ids,
-        data.scopes,
-        data.default_params,
-        expiry,
-    );
+    let user_org = conn
+        .transaction::<_, diesel::result::Error, _>(|conn| {
+            async move {
+                let user = diesel::insert_into(users_columns::users)
+                    .values(&user)
+                    .get_result::<User>(conn)
+                    .await?;
 
-    diesel::insert_into(crate::data::schema::user_api_key::dsl::user_api_key)
-        .values(&api_key_struct)
-        .execute(&mut conn)
+                let user_org = diesel::insert_into(user_organizations_columns::user_organizations)
+                    .values(&user_org)
+                    .get_result::<UserOrganization>(conn)
+                    .await?;
+
+                Ok((user, vec![user_org]))
+            }
+            .scope_boxed()
+        })
         .await
-        .map_err(|_| ServiceError::BadRequest("Error setting api key".to_string()))?;
+        .map_err(|_| {
+            ServiceError::InternalServerError(
+                "Failed to create user, likely that organization_id is invalid".to_string(),
+            )
+        })?;
 
-    Ok(raw_api_key)
+    let user_org = get_user_by_id_query(&user_org.0.id, pool).await?;
+
+    Ok(user_org)
 }
 
 pub async fn get_user_from_api_key_query(
@@ -344,173 +309,10 @@ pub async fn get_user_from_api_key_query(
                 first_user_org.3.clone(),
             ))
         }
-        None => {
-            let argon2_hash = hash_argon2_api_key(api_key)?;
-
-            let user_orgs_orgs: Vec<(User, UserOrganization, Organization, UserApiKey)> =
-                users_columns::users
-                    .inner_join(user_organizations_columns::user_organizations)
-                    .inner_join(organization_columns::organizations.on(
-                        organization_columns::id.eq(user_organizations_columns::organization_id),
-                    ))
-                    .inner_join(user_api_key_columns::user_api_key)
-                    .filter(user_api_key_columns::api_key_hash.eq(argon2_hash.clone()))
-                    .filter(
-                        user_api_key_columns::expires_at
-                            .is_null()
-                            .or(user_api_key_columns::expires_at.ge(diesel::dsl::now.nullable())),
-                    )
-                    .filter(organization_columns::deleted.eq(0))
-                    .select((
-                        User::as_select(),
-                        UserOrganization::as_select(),
-                        Organization::as_select(),
-                        UserApiKey::as_select(),
-                    ))
-                    .load::<(User, UserOrganization, Organization, UserApiKey)>(&mut conn)
-                    .await
-                    .map_err(|_| ServiceError::BadRequest("API Key Incorrect".to_string()))?;
-
-            match user_orgs_orgs.get(0) {
-                Some(first_user_org) => {
-                    let user = first_user_org.0.clone();
-                    let mut user_orgs = user_orgs_orgs
-                        .iter()
-                        .map(|user_org| user_org.1.clone())
-                        .collect::<Vec<UserOrganization>>();
-
-                    user_orgs.iter_mut().for_each(|user_org| {
-                        if user_orgs_orgs
-                            .iter()
-                            .find(|user_org_org| user_org_org.1.id == user_org.id)
-                            .unwrap()
-                            .3
-                            .role
-                            == 0
-                        {
-                            user_org.role = 0;
-                        }
-                    });
-
-                    let orgs = user_orgs_orgs
-                        .iter()
-                        .map(|user_org_org| user_org_org.2.clone())
-                        .collect::<Vec<Organization>>();
-
-                    diesel::update(
-                        user_api_key_columns::user_api_key
-                            .filter(user_api_key_columns::api_key_hash.eq(argon2_hash)),
-                    )
-                    .set(user_api_key_columns::blake3_hash.eq(api_key_hash))
-                    .execute(&mut conn)
-                    .await
-                    .map_err(|_| ServiceError::BadRequest("Error updating api key".to_string()))?;
-
-                    Ok((
-                        SlimUser::from_details(user, user_orgs, orgs),
-                        first_user_org.3.clone(),
-                    ))
-                }
-                None => Err(ServiceError::BadRequest("API Key Incorrect".to_string())),
-            }
-        }
+        None => Err(ServiceError::BadRequest("API Key Incorrect".to_string())),
     }
 }
 
-pub async fn get_user_api_keys_query(
-    user_id: uuid::Uuid,
-    pool: web::Data<Pool>,
-) -> Result<Vec<ApiKeyRespBody>, ServiceError> {
-    use crate::data::schema::user_api_key::dsl as user_api_key_columns;
-
-    let mut conn = pool.get().await.map_err(|_e| {
-        ServiceError::InternalServerError("Failed to get postgres connection".to_string())
-    })?;
-
-    let api_keys = user_api_key_columns::user_api_key
-        .filter(user_api_key_columns::user_id.eq(user_id))
-        .select(UserApiKey::as_select())
-        .load::<UserApiKey>(&mut conn)
-        .await
-        .map_err(|_| ServiceError::BadRequest("Error loading user api keys".to_string()))?;
-
-    let api_keys = api_keys
-        .into_iter()
-        .map(|api_key| api_key.into())
-        .collect::<Vec<ApiKeyRespBody>>();
-    Ok(api_keys)
-}
-
-pub async fn delete_user_api_keys_query(
-    user_id: uuid::Uuid,
-    api_key_id: uuid::Uuid,
-    pool: web::Data<Pool>,
-) -> Result<(), ServiceError> {
-    use crate::data::schema::user_api_key::dsl as user_api_key_columns;
-
-    let mut conn = pool.get().await.map_err(|_e| {
-        ServiceError::InternalServerError("Failed to get postgres connection".to_string())
-    })?;
-
-    diesel::delete(
-        user_api_key_columns::user_api_key
-            .filter(user_api_key_columns::user_id.eq(user_id))
-            .filter(user_api_key_columns::id.eq(api_key_id)),
-    )
-    .execute(&mut conn)
-    .await
-    .map_err(|_| ServiceError::BadRequest("Error deleting user api key".to_string()))?;
-
-    Ok(())
-}
-
-pub async fn create_user_query(
-    user_oidc_subject: String,
-    email: String,
-    name: Option<String>,
-    role: UserRole,
-    org_id: uuid::Uuid,
-    pool: web::Data<Pool>,
-) -> Result<(User, Vec<UserOrganization>, Vec<Organization>), ServiceError> {
-    use crate::data::schema::user_organizations::dsl as user_organizations_columns;
-    use crate::data::schema::users::dsl as users_columns;
-
-    let mut conn = pool.get().await.map_err(|_e| {
-        ServiceError::InternalServerError("Failed to get postgres connection".to_string())
-    })?;
-
-    let user = User::from_details_with_id(user_oidc_subject, email, name);
-    let user_org = UserOrganization::from_details(user.id, org_id, role);
-
-    let user_org = conn
-        .transaction::<_, diesel::result::Error, _>(|conn| {
-            async move {
-                let user = diesel::insert_into(users_columns::users)
-                    .values(&user)
-                    .get_result::<User>(conn)
-                    .await?;
-
-                let user_org = diesel::insert_into(user_organizations_columns::user_organizations)
-                    .values(&user_org)
-                    .get_result::<UserOrganization>(conn)
-                    .await?;
-
-                Ok((user, vec![user_org]))
-            }
-            .scope_boxed()
-        })
-        .await
-        .map_err(|_| {
-            ServiceError::InternalServerError(
-                "Failed to create user, likely that organization_id is invalid".to_string(),
-            )
-        })?;
-
-    let user_org = get_user_by_id_query(&user_org.0.id, pool).await?;
-
-    Ok(user_org)
-}
-
 pub async fn add_user_to_organization(
     _req: Option<&HttpRequest>,
     _calling_user_id: Option<uuid::Uuid>,
@@ -610,7 +412,7 @@ pub async fn create_default_user(api_key: &str, pool: web::Data<Pool>) -> Result
         user.id,
         api_key_hash,
         "default".to_string(),
-        ApiKeyRole::ReadAndWrite,
+        ApiKeyRole::Admin,
         None,
         None,
         None,