Skip to content

Issue, scope, and manage API keys

This guide covers the full API-key lifecycle: issuing a new key with granular scopes, rotating a key without downtime, and revoking a key permanently.

Who can do this: Admins with the api_keys:write scope (to create, rotate, and revoke) or api_keys:read scope (to view the key list only).

  • You need an admin account with api_keys:write to create or modify keys.
  • Decide which resource scopes the key needs — follow the principle of least privilege and grant only what the integration requires. See API key scopes reference for the full catalog.
  1. Go to Admin & Security > Integrations > API keys.
  2. Select New API key.
  3. Enter a Name that describes the integration or script using this key (for example, “Zapier integration” or “Nightly export”).
  4. In the Scopes section, check each resource:action scope the key needs. There is no “select all” — this is by design to encourage least privilege.
    • If you select a write scope without the matching read scope (for example, members:write without members:read), an advisory note appears: “Write without Read is unusual — auto-include Read?” Select the auto-fix link if you want both, or leave it and proceed — the advisory is non-blocking.
  5. Set an Expiry. The form defaults to one year from today. Select the expiry field and clear it to set the key to never expire.
  6. Select Create API key.

The key is created. The full token is shown exactly once. Read the warning, copy the token now, and select I’ve stored it safely to close the reveal. If the copy button fails (for example, because the browser blocked clipboard access), the token field stays selectable — select all the text and copy it manually. After you dismiss, the token is not retrievable; you can only rotate the key to get a new one.

Rotate a key (replace the token without downtime)

Section titled “Rotate a key (replace the token without downtime)”

Rotation issues a new token while keeping the old one valid for seven days, giving you time to update your integration.

  1. Go to Admin & Security > Integrations > API keys.
  2. Find the key you want to rotate. Select , then select Rotate.
  3. Confirm the rotation. A new token is shown once — copy it now and store it. The reveal also shows when the old token expires (seven days from now).
  4. Update your integration with the new token before the old one expires.

You cannot rotate a revoked or expired key. If you try, you’ll see “You can’t rotate a key that’s already revoked or expired — issue a new one instead.”

Revoking is permanent and immediate. Any integration using the key stops working at the moment of revocation. There is no undo.

  1. Go to Admin & Security > Integrations > API keys.
  2. Find the key you want to revoke. Select , then select Revoke.
  3. Read the confirmation dialog and select Revoke key to confirm. Select Cancel to go back.

The row stays visible in the list (greyed, with a “Revoked” status and the revocation timestamp) — it is not deleted.

For a new key: the key appears in the API keys list with an “Active” status badge and the scopes you selected. The full token is not shown in the list — only the first eight characters.

For a rotated key: the same row stays active; your integration works with the new token while the old one winds down.

For a revoked key: the row shows “Revoked” with a timestamp. Any API call using that token returns 401.

  • The Create/Rotate/Revoke actions are not visible — your role may lack api_keys:write. Contact your organization’s owner.
  • Rotation returns a 409 error — the key is no longer active (it was revoked or expired between the time you loaded the page and when you confirmed). Issue a new key.
  • You missed copying the token — the only recovery is to rotate the key. Rotation generates a fresh token; see the rotate steps above.