Guides

Account-Level API Keys

Suggest Edits

To connect to Alloy, you will need an Account-level API Key (formerly, Workflow Token and Secret) to authenticate your requests. Treat these keys, like a username and password, with utmost care.

NOTE:
Your Account might still be leveraging Workflow-level Keys, please reach out to Customer Support if you’d like to switch over to Account-level Keys.

1. Access API Keys Settings

The agent must be in a role with the following permissions below via “Roles > Settings> API Keys”.


  • Agent can view the Settings tab and list of API keys, and associated metadata (such as nickname, name of agent who created it, timestamps)
    • This grands access to the page and the ability to view the token and secrets necessary for integrations.
  • Agent can create new API Keys
    • This grants access to being able to create new keys.
  • Agent can update existing API Keys (update API Key nickname, revoke the API Key, rotate the secret, revoke the secret)
    • This grants access to being able to create new secrets, revoke existing secrets and entire keys.

2. Creating API Keys

2.1 Workflow Generated Keys

If you are accessing this page for the first time, there might be Keys that you hadn’t created. These Keys, where Generated By = Automatically from Workflow, have been migrated over from your existing Workflow to maintain backwards compatibility, and should be maintained from here going forward.


2.2 Creating an API Key

Select “Create New API Key” to generate a new Key. All Keys need to have a unique Key Name associated with it. Once the new Key is generated, that Key is live and can be used to access your Alloy Account.


3. Rotating Key / Secrets

3.1 Rotating Secrets

You can generate up to 5 active Secrets per API Key. Each Secret paired with the Token will continue to be live. As you generate new Secrets, the older Secrets will continue to be active but no longer be copyable.

3.2 Revoking Secrets

To revoke a Secret, click the trash icon on the row. Revoking Secrets will make any Token Secret pair using that Secret receive a 401 error. Revoking the top most Secret (green Active) will make the last generated Secret copyable again.

IMPORTANT:
Do not revoke your old API Secrets until you have confirmed the new Secret is working as expected.

3.3 Revoking Keys

To revoke a Key, click the trash icon on the row. You will need to confirm the key’s name (case sensitive) before being able to revoke that Key.

Revoking the entire Key will make any request still using that key receive a 401 error.

IMPORTANT:
Do not revoke your old API Keys until you have confirmed the new Key is working as expected

Updated 3 months ago