Creating a key
- Go to API settings.
- Click Create Key.
- Give it a descriptive name (e.g. Production, Personal scripts).
- Optionally restrict which accounts the key can access (see Account scope below).
- Click Create Key — the secret is shown once. Copy it now.
Naming keys
Every key has a name. Use names that make it obvious where each key is used so you can safely rotate or delete individual keys without guessing what depends on them. To rename a key after creation, click Rename next to it in API settings.Account scope
By default, a key can access all of your accounts, including any you connect in the future. You can restrict a key to a specific set of accounts — useful for isolating what a particular integration or script can see.Setting scope when creating a key
In the Create Key dialog, turn off Share all accounts and select the accounts you want the key to access.Editing scope after creation
- Open API settings.
- Click Edit scope next to the key.
- Toggle Share all accounts or check/uncheck individual accounts.
- Click Save.
How scope is enforced
When a key has a restricted scope, any request for an account outside that scope returns404 NOT_FOUND, the same as if the resource does not exist. This avoids leaking that the account exists at all.
An empty scope (all accounts) is the default and includes accounts you add in the future.
Rotating a key
Rotating generates a new secret and immediately invalidates the old one. The key’s name and account scope are preserved — only the secret changes.- Click Rotate next to the key in API settings.
- Confirm the rotation.
- Copy the new secret — it is shown once.
- Update any applications using the old key before closing the dialog.
Deleting a key
Deleting a key permanently invalidates it. Any application using that key will stop working immediately.- Click Delete next to the key in API settings.
- Confirm deletion.