Skip to content
EZY Wiki

API Keys

API Keys gives tenant administrators controlled programmatic access for integrations and automation. Each key is assigned an authorization group that determines its permissions, and can be restricted to specific IP addresses or given an expiration date for better security.

API Keys list showing key names, status badges, authorization groups, expiration dates, and last-used timestamps

Accessing the Page

Section titled “Accessing the Page”
  • Route: /tenant-api-keys
  • Menu Path: Settings → Data & Monitoring → API Keys
  • Primary audience: Tenant administrators and Super Users.

What you can do here

Section titled “What you can do here”
  • View all tenant API keys with their status, authorization group, expiration date, and last-used timestamp.
  • Generate a new API key and copy the one-time secret before it is masked.
  • Edit a key’s name, description, authorization group, and IP allowlist.
  • Rotate a key to generate a new secret while preserving its configuration.
  • Revoke a key to immediately block access for any application using it.
  • Filter keys by status (Active / Revoked) and expiration state (Valid / Expiring Soon / Expired).

Common tasks

Section titled “Common tasks”
  1. Open Settings → Data & Monitoring → API Keys.
  2. Click Generate API Key to open the generation form.
  3. Fill in the key name, select an authorization group, and optionally set an expiration date and IP allowlist.
  4. Click Generate — a modal displays the key secret. Copy it now; it will not be shown again.
  5. Store the secret in a vault or your integration’s secret store.
  6. Use the X-API-Key header in API requests to authenticate as this key.

Notes

Section titled “Notes”
  • The secret is shown only once, immediately after generation. If it is lost, rotate the key to generate a new one.
  • Revoking a key is immediate and permanent — applications using the key lose access instantly.
  • Rotating a key invalidates the current secret and issues a new one. All applications using the old secret must be updated.
  • Keys count toward a tenant limit. The page header displays the current usage (e.g., 2/10 keys). Contact support to raise the limit.
  • IP restrictions use CIDR notation. Leaving the allowlist empty permits requests from any IP address.

Generating an API Key

Section titled “Generating an API Key”

Click Generate API Key in the page header. A full-page form opens where you configure the key before generating the secret.

Generate API Key form with Key Information section showing Key Name, Description, Authorization Group, and Expiration Date fields

Fields

Section titled “Fields”
FieldRequiredTypeDescriptionDefaultValidation
Key NameYesTextDisplay name for the key. Used to identify it in the list2–200 characters
DescriptionNoTextareaOptional description of what this key is used forMax 1000 characters
Authorization GroupYesSelectThe permission group that governs what this key can access. Only groups of type Tenant API Key are availableRequired
Expiration DateNoDateDate after which the key stops working. Leave empty for a key that never expiresMust be a future date
IP AllowlistNoTextareaOne IP address or CIDR range per line. Leave empty to allow requests from any IPValid IP or CIDR per line

Steps:

  1. Click Generate API Key in the page header.
  2. Enter a descriptive Key Name (e.g., “Mobile App”, “ERP Integration”).
  3. Optionally add a Description explaining the key’s purpose.
  4. Select an Authorization Group — this determines the key’s permissions.
  5. Optionally set an Expiration Date for better security.
  6. Optionally enter one or more IPs or CIDRs in the IP Allowlist to restrict which addresses may use the key.
  7. Click Generate. A modal immediately shows the generated secret.
  8. Click the copy icon to copy the secret to the clipboard. Store it securely — it will not be shown again.
  9. Click Close to dismiss the modal and return to the key list.

Editing an API Key

Section titled “Editing an API Key”

Open the Edit icon (pencil) on an active key row to update its metadata. The key secret is not affected by an edit.

Edit API Key dialog — pre-filled with the key's current name, description, authorization group, and IP allowlist

Same fields as Generating, with these differences:

  • Expiration Date is not available in the edit form — to change the expiry you must rotate the key.
  • Authorization Group is editable after creation.
  • All other fields behave identically to the generate form.

Steps:

  1. Click the pencil icon on the target key row.
  2. Update the desired fields.
  3. Click Save.

Rotating an API Key

Section titled “Rotating an API Key”

Rotating generates a new secret for an existing key while keeping its name, authorization group, and other configuration unchanged.

Rotate API Key confirmation dialog warning that all applications using the current key will immediately lose access

  1. Click the rotate icon (circular arrows) on an active key row.
  2. Read the warning: all applications using the current secret will lose access immediately.
  3. Click Rotate to confirm.
  4. A modal displays the new secret. Copy it and update all applications before closing.

Note: Rotation is irreversible — the old secret is invalidated the moment the new one is issued.

Revoking an API Key

Section titled “Revoking an API Key”

Revoking permanently deactivates a key. Any application using the key loses access immediately.

Revoke API Key confirmation dialog asking for confirmation before permanently blocking the key

  1. Click the revoke icon (trash) on the target key row.
  2. Read the confirmation: “Are you sure you want to revoke the API key [name]? This action cannot be undone and any applications using this key will lose access immediately.”
  3. Click Revoke to confirm — the key status changes to Revoked in the list.

Note: Revoked keys cannot be re-activated. Generate a new key if access needs to be restored.

Section titled “Related Pages”