CredVault
Dashboard

API Keys

Create and manage API keys to authenticate your applications and integrations with CredVault.

What are API Keys?

API keys are secure credentials that allow:

  • Your applications to connect to CredVault
  • External tools to integrate with your platform
  • Automated scripts to access your data
  • Team members to use the API programmatically

An API key proves "I am authorized to access this" without sharing passwords.

Creating an API Key

Generate New Key

  1. Click API Keys in sidebar
  2. Click Create New Key
  3. Give it a name: "Mobile App", "Data Pipeline", "AI Integration"
  4. Choose permissions (see "Scopes" below)
  5. Set expiration (optional):
    • Never expires
    • 30 days
    • 90 days
    • 1 year
    • Custom date
  6. Click Generate

Key Information

Your key shows:

Key Name: Production API Key
Created: 2024-06-12 10:30 UTC
Status: Active
Permissions: Read databases, Run queries
Expires: 2025-06-12
Last Used: 2024-06-12 14:22 UTC
Last Rotated: Never

Understanding Scopes

Scopes limit what each key can do. Choose carefully:

Available Scopes

Read

  • database:read - Read data from databases
  • metadata:read - View data catalog
  • logs:read - View activity logs

Write

  • database:write - Insert/update/delete data
  • notebook:create - Create new notebooks
  • experiment:write - Create ML experiments

Execute

  • query:execute - Run queries
  • function:invoke - Call serverless functions
  • orchestration:execute - Trigger pipelines

Admin

  • team:manage - Add/remove team members
  • settings:modify - Change configuration
  • billing:manage - Modify billing

Best Practices for Scopes

  • Principle of least privilege - Only grant needed permissions
  • Read-only keys - For data analysis and dashboards
  • Write keys - Only for data ingestion
  • Separate keys - Different key for each application

Example scopes:

Mobile app: database:read, notebook:read
Data pipeline: database:write, query:execute
Public dashboard: database:read only
Admin tool: all permissions

Using Your API Key

In Code

Include your key in the Authorization header:

curl -H "Authorization: Bearer YOUR_API_KEY" \
  https://api.credvault.io/v1/databases

import credvault

client = credvault.Client(api_key="YOUR_API_KEY")
databases = client.list_databases()

const credvault = require('credvault-js');

const client = new credvault.Client({
  apiKey: 'YOUR_API_KEY'
});

const databases = await client.listDatabases();

In Integrations

Many tools let you paste your API key:

  1. Open integration settings (Zapier, Make, etc.)
  2. Find "API Key" or "Authentication" field
  3. Paste your CredVault API key
  4. Test connection

Testing API Keys

Test Connection

  1. Click your API key
  2. Click Test Connection
  3. System verifies the key works
  4. Shows success/failure with error details

Test Specific Permission

After creating a key, test individual permissions:

# Test database read
curl -H "Authorization: Bearer YOUR_API_KEY" \
  https://api.credvault.io/v1/databases

# Should return: List of databases
# If denied: {"error": "Insufficient permissions"}

Usage History

See what your key has been used for:

2024-06-12 14:22 - GET /databases (success)
2024-06-12 14:25 - POST /query (success)
2024-06-12 14:27 - GET /experiments (denied - insufficient scope)
2024-06-12 14:30 - POST /notebooks (success)

Click any entry to see:

  • Exact request
  • Response code
  • Timestamp
  • Source IP
  • User agent

Managing Keys

Rename Key

Change the name anytime:

  1. Click the key
  2. Click Edit
  3. Change name
  4. Click Save

Pause/Resume

Temporarily disable a key without deleting:

  1. Click the key
  2. Click Pause
  3. Key won't work until resumed
  4. All data about usage is preserved

Use case: Pause during maintenance or migration

Rotate Key

Create a new key and invalidate the old one:

  1. Click the key
  2. Click Rotate
  3. New key is generated
  4. Old key stops working
  5. Update applications to use new key

Recommended: Rotate every 90 days or if exposed

Delete Key

Permanently remove a key:

  1. Click the key
  2. Click Delete
  3. Confirm deletion
  4. Applications using this key will lose access
  5. Action is permanent

Warning: Make sure nothing uses this key first

Security Best Practices

Protect Your Keys

  • ✅ Store in secure password manager
  • ✅ Use environment variables, never hardcode
  • ✅ Don't share keys via email or chat
  • ✅ Don't commit keys to version control
  • ✅ Rotate keys regularly
  • ❌ Don't share keys between applications
  • ❌ Don't use one key for everything
  • ❌ Don't set expiration to "never" for sensitive operations

Secure Storage

In your application:

# Good: Use environment variables
import os
api_key = os.environ['CREDVAULT_API_KEY']

# Bad: Don't hardcode
api_key = "cv_abc123..."  # Visible in code!

In configuration files:

# .env file (add to .gitignore!)
CREDVAULT_API_KEY=cv_abc123...

# .gitignore
.env
.env.local
secrets/

Monitoring Access

Check who's using your keys:

  1. Go to API Keys dashboard
  2. See all keys and last used time
  3. Look for unexpected usage
  4. Delete any suspicious keys
  5. Check activity logs for unusual access

Troubleshooting

Key doesn't work

  1. Verify key is not paused
  2. Check expiration date
  3. Verify scopes allow the operation
  4. Test with Test Connection
  5. Check error message for reason

Permission denied error

Error: "Insufficient permissions for operation"

The key's scopes don't allow this operation:

  1. Go to the key
  2. Click Edit Scopes
  3. Add needed permission
  4. Save and retry

Key expired

Error: "API key has expired"

Create a new key or rotate the old one:

  1. Click the expired key
  2. Click Rotate to replace with new
  3. Update applications with new key

Lost my key

If you forgot to save your key:

  1. Create a new key (old one still works)
  2. Delete the old key when done
  3. Update applications to new key

Note: Keys shown only once. Save immediately after creation.

Advanced Usage

Rate Limiting

Each key has rate limits:

Free tier: 100 requests/minute
Starter: 500 requests/minute
Pro: 2000 requests/minute
Enterprise: Unlimited (negotiated)

If you hit limit:

Error: "Rate limit exceeded"
Wait: 60 seconds before retrying
Solution: Upgrade plan or use multiple keys

Webhook Signatures

Verify webhooks come from CredVault:

import hmac

# Secret is your API key
secret = "YOUR_API_KEY"
signature = request.headers.get('X-Webhook-Signature')
body = request.get_data()

# Calculate expected signature
expected = hmac.new(
    secret.encode(),
    body,
    'sha256'
).hexdigest()

# Verify
if signature != expected:
    raise ValueError("Invalid signature")