> ## Documentation Index > Fetch the complete documentation index at: https://microstrate-1133-notifications-prefs.mintlify.site/llms.txt > Use this file to discover all available pages before exploring further. # API Keys > Generate and manage API keys for programmatic access # API Key Management API keys allow you to access QuivaWorks programmatically for automation, integrations, and custom applications. ## Creating an API Key Click your profile icon in the bottom left → "Settings" → "API Keys" Click the "Add" button Enter a descriptive name (e.g., "Production Integration", "CI/CD Pipeline", "Monitoring Script") **Copy the API key immediately** - it will only be shown once **You cannot view the API key again after closing the dialog.** Store it securely in a password manager or secret management system immediately. ## API Key Properties Keys are tied to the user who creates them and inherit that user's permissions All keys expire after 3 months for security Delete keys immediately if compromised ## Managing API Keys ### Viewing Your Keys 1. Navigate to **Settings → API Keys** 2. See a list of all your active keys showing: * Key name * Creation date * Expiration date * Last used date (if applicable) ### Deleting an API Key 1. Navigate to **Settings → API Keys** 2. Click on the key name you want to delete 3. Click the "Delete" button 4. Confirm the deletion Deleting a key immediately revokes access. Any applications using this key will stop working. Update applications with a new key before deleting the old one. ## API Key Security Best Practices **Treat API keys like passwords.** Never share them or expose them publicly. ### Storage and Handling **Do this:** ```bash theme={null} # Store in environment variable export QUIVA_API_KEY="your-api-key-here" ``` **Never do this:** ```javascript theme={null} // Don't hardcode keys in your code const apiKey = "ms_1234567890abcdef"; // BAD ``` Store keys in secure secret management systems: * AWS Secrets Manager * HashiCorp Vault * Azure Key Vault * Google Secret Manager * 1Password/LastPass for Teams These systems provide: * Encrypted storage * Access controls * Audit trails * Automatic rotation Add these patterns to your `.gitignore`: ``` .env .env.local .env.*.local config/secrets.yml **/api-keys.txt ``` Even in private repositories, avoid committing API keys. They can be exposed through: * Repository forks * Access changes * CI/CD logs * Backup systems **Never share keys via:** * Email * Slack or Teams messages * Documentation (even internal) * Shared documents or spreadsheets **Instead:** * Create separate keys for each user * Use your secret management system * Grant appropriate role-based access ### Key Rotation Strategy Create a new API key 2 weeks before the old one expires Deploy the new key to all applications and services: * Update environment variables * Update secret management entries * Update CI/CD configurations Verify all integrations work with the new key: * Run automated tests * Check production traffic * Monitor error rates Keep both keys active briefly to ensure smooth transition Only after confirming the new key works everywhere and the old key is no longer in use Set calendar reminders **2 weeks before** key expiration to avoid service disruption. Consider automating rotation using your secret management system. ### Organizing Multiple Keys Create different keys for: * Production * Staging * Development/Testing * CI/CD pipelines * Third-party integrations Clear naming helps track usage: * "Production API - Web App" * "GitHub Actions - Main Pipeline" * "Datadog Monitoring Integration" * "Staging Environment - QA Team" ### Monitoring API Key Usage Regularly audit your API keys to maintain security: **Monthly Review Checklist:** * List all active API keys in your account * Verify each key is still needed * Check last used dates for inactive keys * Delete keys that haven't been used in 30+ days * Confirm key names accurately describe current usage **Watch for Unusual Patterns:** * Unexpected spike in API calls * Calls from unfamiliar IP addresses or regions * Access outside normal business hours * Failed authentication attempts * Unusually large data transfers While QuivaWorks doesn't currently provide audit logs for API usage, we recommend implementing logging in your applications that use API keys to track their usage patterns. ## If an API Key is Compromised Act immediately if you suspect a key has been exposed or compromised. 1. Navigate to **Settings → API Keys** 2. Click on the compromised key 3. Click "Delete" 4. Confirm deletion Create a new API key with a different name immediately Deploy the new key to all affected services as quickly as possible Check your application logs for any unauthorized or suspicious API usage Determine: * What resources were accessed * What data may have been exposed * What actions were performed * Duration of potential unauthorized access For serious breaches involving sensitive data, follow your [incident response procedures](/essentials/security/incident-response) **Common Ways Keys Get Exposed:** * Accidentally committed to public GitHub repositories * Logged in plain text in application logs * Shared in Slack/email/chat messages * Included in error messages or stack traces * Stored in unencrypted configuration files * Exposed through compromised development machines ## Using API Keys ### Authentication Include your API key in the `Authorization` header: ```bash theme={null} curl -H "Authorization: Bearer YOUR_API_KEY" \ https://api.quiva.ai/v1/agents ``` ### Common Integration Patterns ```javascript theme={null} // Using environment variables const apiKey = process.env.QUIVA_API_KEY; const response = await fetch('https://api.quiva.ai/v1/agents', { headers: { 'Authorization': `Bearer ${apiKey}`, 'Content-Type': 'application/json' } }); ``` ```python theme={null} import os import requests # Load from environment api_key = os.environ['QUIVA_API_KEY'] headers = { 'Authorization': f'Bearer {api_key}', 'Content-Type': 'application/json' } response = requests.get( 'https://api.quiva.ai/v1/agents', headers=headers ) ``` ```bash theme={null} # Load from environment variable curl -H "Authorization: Bearer $QUIVA_API_KEY" \ -H "Content-Type: application/json" \ https://api.quiva.ai/v1/agents ``` ### Error Responses ```json theme={null} { "error": "Invalid API key", "message": "The provided API key is invalid or expired" } ``` **Common Causes:** * API key doesn't exist * Key has been deleted * Key has expired (after 3 months) * Incorrect key format **Solution:** Generate a new API key and update your application configuration. ```json theme={null} { "error": "Insufficient permissions", "message": "Your API key doesn't have access to this resource" } ``` **Common Causes:** * User role lacks required permissions * Resource doesn't exist * Resource belongs to different account * Operation not allowed for this role **Solution:** Check the user's role permissions or create a key from a user with appropriate access. ```json theme={null} { "error": "Rate limit exceeded", "message": "Too many requests. Please try again later", "retry_after": 60 } ``` **Common Causes:** * Exceeded your plan's rate limits * Too many concurrent requests * Burst limit exceeded **Solution:** Implement exponential backoff and respect the `retry_after` header. Consider upgrading your plan for higher limits. ## API Key Best Practices Checklist Use this checklist when working with API keys: ### Before Creating * [ ] Determine the specific purpose and required scope * [ ] Identify which user should own the key (inherits their permissions) * [ ] Choose a descriptive, meaningful name * [ ] Confirm you have a secure storage location ready ### Upon Creation * [ ] Copy the key immediately to secure storage * [ ] Store in password manager or secret management system * [ ] Never commit to version control * [ ] Document where the key will be used * [ ] Set a calendar reminder for rotation (before 3-month expiration) ### During Usage * [ ] Use environment variables, never hardcode * [ ] Implement proper error handling for API failures * [ ] Monitor usage and performance * [ ] Log API errors (but never log the key itself) * [ ] Use separate keys for different environments ### Regular Maintenance * [ ] Review active keys monthly * [ ] Delete unused keys * [ ] Rotate keys before expiration * [ ] Audit API usage patterns * [ ] Update documentation when keys change * [ ] Test new keys before deleting old ones ## Troubleshooting **Possible Issues:** * Key not copied correctly (extra spaces, truncation) * Not included in Authorization header * Using wrong API endpoint * User permissions insufficient **Solutions:** * Regenerate the key and copy carefully * Verify header format: `Authorization: Bearer YOUR_KEY` * Check API documentation for correct endpoints * Verify user role has required permissions **Possible Issues:** * Key expired (3-month lifespan) * Key was deleted by admin * User's permissions changed * Account plan changed affecting limits **Solutions:** * Check key expiration date * Verify key still exists in settings * Contact admin about permission changes * Generate new key and update applications **Possible Issues:** * Exceeded your plan's API rate limits * Too many concurrent requests * Application not handling retries properly **Solutions:** * Implement exponential backoff * Reduce request frequency * Consider upgrading your plan * Batch requests where possible **Immediate Actions:** 1. Delete the key immediately 2. Generate a new replacement key 3. Update all applications 4. Review recent API usage for unauthorized access 5. If in version control, contact support about repository history ## Next Steps Complete API documentation and endpoints Secure your user account with MFA Comprehensive security practices What to do if compromised