API keys

API keys authenticate the integration between your company’s systems and the platform. Each key has an ID and a secret token, used as username and password in the HTTP Basic scheme described in Technical integration.

Create a key

Under Settings > API keys > New key:

  1. Provide an optional description identifying the key’s use (up to 32 characters).
  2. Click Create.
  3. The key is shown only once. Copy the ID and secret token and store them in a safe place — once you leave the screen, the token cannot be recovered.

Each account supports up to 10 keys at a time. To create a new one beyond that limit, remove an existing key first.

Panel

The API keys screen lists all keys in the account with:

  • ID of the key.
  • Visible token: first characters of the token, enough to identify it without exposing the secret.
  • Description set on creation.
  • Last used: approximate time of the last call authenticated with the key.

The description can be edited at any time. The token, for security reasons, cannot be viewed again after creation.

Removal

Removed keys stop authenticating new calls. In critical situations, also consider rotating credentials in the systems that used the key.

Best practices

  • One key per integration: makes it easier to track usage (Last used) and revoke access without affecting other integrations.
  • Explicit descriptions: indicate the system or environment that uses the key (e.g., checkout-prod, etl-staging).
  • Periodic rotation: generate a new key, update the system, and remove the previous one after confirming there are no more calls using it.
  • Never version tokens: store them in environment variables, secret managers, or dedicated vaults.