API Key Management
Create, scope, and revoke API keys for external tool integration.
What Are API Keys?
API keys allow external tools and scripts to authenticate with Standardise programmatically. Each key is scoped to specific permission levels so you can follow the principle of least privilege when granting access to third-party services.
Creating an API Key
- Navigate to Settings > API Keys.
- Click Create API Keyand provide a descriptive name (e.g., "Slack Integration" or "CI Pipeline").
- Select the appropriate scope:
- Read — Can fetch data from the API but cannot create or modify records.
- Write — Can create and update records in addition to reading.
- Admin — Full API access including organisation settings and member management.
- Click Generate. The key is displayed once and cannot be retrieved again.
Copy the key immediately and store it in a secure location such as a secrets manager or encrypted vault. If you lose the key, you will need to revoke it and create a new one.
Revoking Keys
To revoke an API key, find it in the API Keys list and click Revoke. The key is invalidated immediately and any requests using it will be rejected. Revocation is permanent and cannot be undone.
Revoke keys promptly when they are no longer needed, when a team member who had access leaves, or if you suspect a key has been compromised.
Key Expiry
API keys can be configured with an optional expiry date. Once expired, the key stops working automatically. Setting an expiry is recommended for temporary integrations or contractor access. Keys without an expiry remain active until manually revoked.
Using API Keys
Include the API key as a Bearer token in the Authorization header of your HTTP requests:
Authorization: Bearer your-api-key
API keys are commonly used with webhook integrations, CI/CD pipelines, and custom scripts that need to push evidence or pull compliance data from Standardise.