Skip to content

Managing API Keys

This guide covers viewing, rotating, and revoking API keys, along with security best practices.

Viewing Active Keys

The API Keys page in the Admin Console displays all active keys with the following information:

  • Key name
  • Creation timestamp
  • Expiration timestamp
  • Assigned permissions

The actual key value is never displayed after the initial creation.

Deleting a Key

To revoke an API key:

  1. Navigate to Configuration → API Keys
  2. Locate the key to delete
  3. Click the Delete button (trash icon)
  4. Confirm the deletion

Once deleted, the key is immediately revoked. Any applications or scripts using that key will receive 401 Unauthorized errors on subsequent requests.

Key Rotation

For security best practices, API keys should be rotated periodically. The recommended rotation process:

  1. Generate a new API key with the same permissions as the existing key
  2. Update all applications and scripts to use the new key
  3. Verify the new key is working correctly in all integrations
  4. Delete the old key

Shield allows up to 2 active keys per permission type simultaneously, which enables zero-downtime rotation. Deploy the new key to all systems before revoking the old one.

Security Best Practices

Key Storage

  • Store keys as environment variables rather than hardcoding them
  • Use secrets management services for production deployments
  • Encrypt configuration files that contain API keys
  • Restrict file permissions on any files containing keys

Access Control

  • Follow the principle of least privilege - grant only required permissions
  • Use separate API keys for different integrations and purposes
  • Set appropriate expiration periods (90-180 days recommended)
  • Revoke keys immediately when they are no longer needed
  • Regularly audit active keys and remove unused ones

Network Security

  • Always use HTTPS when making API requests
  • Never send API keys over unencrypted HTTP connections
  • Consider network-level restrictions (VPN, firewall rules) for additional security
  • Monitor API usage patterns for anomalies

Operational Security

  • Implement key rotation schedules
  • Log and monitor API key usage
  • Set up alerts for unusual API activity patterns
  • Maintain an inventory of all active keys and their purposes
  • Document which systems use which keys for incident response