Guides
Start typing to search…

Account-Level API Keys

To connect to Alloy, you will need an Account-level API key (formerly, Workflow token and secret) to authenticate your requests. Treat these keys, like a username and password, with utmost care.

NOTE: Your account might still be leveraging Workflow-level keys. Please reach out to Customer Support if you’d like to switch over to Account-level keys.

1. Access API Keys Settings

The agent must be in a role with the following permissions below via “Roles > Settings> API Keys”.

  • Agent can view the Settings tab and list of API keys, and associated metadata (such as nickname, name of agent who created it, timestamps)
    • Gives the agent access to the page and the ability to view the token and secrets necessary for integrations.
  • Agent can create new API Keys
    • Lets the agent create new keys.
  • Agent can update existing API Keys (update API Key nickname, revoke the API Key, rotate the secret, revoke the secret)
    • Lets the agent create and revoke secrets and revoke entire keys.

2. Creating API Keys

2.1 Workflow Generated Keys

If you are accessing this page for the first time, there might be keys in the list that you did not create. These keys, where Generated By = Automatically from Workflow, have been migrated over from your existing workflow to maintain backwards compatibility, and should be maintained going forward.

2.2 Creating an API Key

Select “Create New API Key” to generate a new key. Each key must have a unique Key Name associated with it. Once the new key is generated, that key is live and can be used to access your Alloy account.

3. Rotating Key / Secrets

3.1 Rotating Secrets

You can generate up to 5 active secrets per API key. Each secret paired with the token will continue to be live. As you generate new secrets, the older secrets continue to be active but no can no longer be copied.

3.2 Revoking Secrets

To revoke a secret, click the trash icon on that secret's row. Revoking a secret will make any token-secret pair using that secret receive a 401 error. Revoking the topmost secret (green Active) will make the last generated secret copyable again.

IMPORTANT: Do not revoke your old API secrets until you have confirmed the new secret is working as expected.

3.3 Revoking Keys

To revoke a key, click the trash icon on that key's row. You will need to confirm the key’s name (case sensitive) to revoke that key.

Revoking the entire key will make any request still using that key receive a 401 error.

IMPORTANT: Do not revoke your old API keys until you have confirmed the new key is working as expected

Updated 9 days ago