Console > API Keys to create, edit metadata, activate, deactivate, rotate, and remove keys.
When to use
Use API Keys when:- an automation needs to query Acrity data;
- an internal system needs to trigger operations supported by the public API;
- integrations need stable workspace-level authentication;
- webhooks are not enough because the external system needs to fetch data on demand.
Who can access
Managing API Keys requires a Workspace admin (platform admins also have access). Creating an API key also requires a Workspace admin.Authentication format
External systems should send the key as described in the public API documentation. The creation screen shows the complete key only once.Main fields
| Field | Purpose |
|---|---|
| Name | Identifies the key and the system that uses it. |
| Expiration | Defines until when the key can be used. Set only when the key is created; it cannot be edited afterward. |
| IP allowlist | Restricts use to allowed addresses or ranges when applicable. |
| Scopes | Limit which areas of the API the key can access. |
| Active | Indicates whether the key can be used. |
| Last characters | Helps identify the key without exposing the secret. |
Create an API Key
Set expiration
Choose a validity period. Expiration is set only at creation and cannot be changed later.
Expiration
Expiration options can include:- no expiration;
- 1 hour;
- 1 day;
- 7 days;
- 30 days;
- 90 days;
- 180 days;
- 360 days.
Expiration is set only when the key is created and cannot be edited afterward. To use a different expiration, create a new key.
IP allowlist
IP allowlist limits key usage to known origins. Use it when:- the integration runs on infrastructure with a fixed IP;
- the organization requires origin control;
- the key has write scopes;
- the integration is critical.
Scopes
| Scope | Allows |
|---|---|
| Reviews | Read or operate review-related resources according to the granted level. |
| Workspaces | Read or change workspace data according to the granted level. |
| Credentials | Read or change credential metadata according to the granted level. |
| Webhooks | Read or change webhooks according to the granted level. |
| Repositories | Read or change repositories according to the granted level. |
| SecurityScans | Read or operate security scan resources according to the granted level. |
Rotate a key
Rotation generates a new secret for the same logical key. Recommended flow:- Go to
Console > API Keys. - In the keys list, find the key and choose
Rotatefrom its row actions. - Confirm the rotation in the dialog.
- Copy the new displayed value.
- Update the external system.
- Validate the integration.
- Remove old secrets from the vault or runtime environment.
Deactivate or delete
Deactivate a key when you want to temporarily interrupt access without losing administrative history. Delete it when:- the integration was removed;
- the system no longer exists;
- the key was created by mistake;
- the organization’s policy requires permanent removal.
Best practices
- Create one key per system and environment.
- Use clear names, such as
billing-sync-prod. - Apply the smallest possible scope.
- Configure expiration when practical.
- Use IP allowlist for critical integrations.
- Store it in a secure vault, never in source code.
- Rotate periodically.
- Deactivate unused keys.
Common issues
| Symptom | What to check |
|---|---|
| Key does not authenticate | Confirm copied value, expiration, active status, and correct environment. |
| Access denied | Check scopes and workspace role. |
| Works locally, fails in production | Check IP allowlist and the real request origin. |
| I lost the complete key | Rotate the key and update the integration. |
| Integration stopped after rotation | Update the secret in the external system and redeploy when needed. |
Security
The complete secret is shown only once and should not be stored in plaintext outside a secure vault. Technical protection for keys and tokens is described inSecurity > Credentials and tokens.