Skip to main content

API Access

This feature allows users to generate and manage API tokens for accessing the platform programmatically.

Regenerating API Tokens​

Users can view and regenerate API tokens to authenticate their requests to the platform's API.

Important behavior and guidance:

  • For security, the API key is stored hashed. The cleartext value is only shown immediately after generation/regeneration and cannot be retrieved later.
  • You must copy or securely store the new key at the moment it is generated/regenerated. Subsequent visits will show a masked/hashed value only.
  • Regenerating a key immediately invalidates the previous key.

Here is what the token regeneration page looks like in an app:

View Full Story β†’

Security Considerations​

When generating and managing API tokens, follow best practices to protect your account and data:

  • Copy and securely store the key immediately after generation/regeneration. It won’t be shown again in cleartext.
  • Never commit keys to source control. Use environment variables or your secrets manager.
  • Rotate keys regularly and revoke keys that are no longer needed.
  • Use the least privilege principle by generating tokens with the minimum required permissions.
  • Monitor usage and alerts on suspicious access where supported.

Key lifecycle and UX intent​

The API Access feature is designed to minimize risk by reducing exposure of long-lived secrets:

  • Generation: A new key is created and displayed once in cleartext so the user can copy it.
  • Storage: Only a hashed value is persisted; cleartext is not retrievable.
  • Regeneration: The previous key is invalidated and a new key is shown once in cleartext.
  • Copy action: The UI exposes a copy button only immediately after a generate/regenerate event to reinforce β€œcopy-once” behavior.

This design aligns with common secret-management guidance and helps prevent accidental leakage of credentials in screenshots or shared screens.

Developer notes​

  • The API Access UI lives in the Foundation app at @foundation/features/dashboard/api-access/client (e.g. APIAccessPage).
  • Translations must provide the following keys: copy-button-aria-label, no-key-text, generate-key-text, regenerate-button-text, text-field-label.
  • Test mocks and Playwright tests are in the foundation app (src/features/dashboard/api-access/, src/tests/playwright/tests/dashboard-journeys/api-access.spec.ts).