Key Management

Secure handling of your tenant API key is critical. This page covers the show-once policy and how to rotate or revoke keys.

Show-once policy

When you create a new API key in the dashboard:

The full key value is shown only once at creation time.
It is not stored in plain text after that, so there is no way to retrieve or view the full key again from the dashboard or API.
You must copy and store the key securely (e.g. in a secrets manager or environment variable) before closing the creation dialog. If you lose it, you must create a new key and update your application.

Best practices:

Store the key in a secure secret store (e.g. environment variables, AWS Secrets Manager, HashiCorp Vault).
Never commit keys to version control; add .env (or equivalent) to .gitignore.
Use different keys per environment (e.g. development, staging, production).

To rotate your tenant API key without downtime:

Create a new key in the dashboard (e.g. API Keys or Keys section). Copy and store it securely.
Update your application to use the new key (e.g. update env vars or config and deploy).
Revoke the old key in the dashboard once the new key is live. After revocation, requests using the old key will fail with authentication errors.

Until you revoke the old key, both keys are valid. This allows a gradual rollout or rollback.

Revoke a key from the dashboard when the key is compromised or no longer needed. Revocation is immediate: requests that use that key will receive authentication errors (e.g. 401).
Impact: Any running processes or clients still using the revoked key will fail until they are updated to use a different key. Plan revokes during low traffic or after deploying a new key.

Action	When to use
Create	New integration or new environment; store the key securely at creation (show-once).
Rotate	Create new → update app → revoke old.
Revoke	Key leaked or no longer needed; immediate effect.

For getting your first key and where to use it, see Authentication and the Quickstart.