Managing API Keys

Last updated: April 18, 2026

API keys let you (or systems you build) authenticate to the Glyphic API. They're created and revoked from Settings → API and treated like passwords — anyone with a key can call the API on behalf of your organization, so handle them carefully.

Creating a key

  1. Go to Settings → API.
  2. Click Create New Key.
  3. Give the key a descriptive name, e.g. Internal data warehouse export or Zapier integration — production.
  4. Click Create Key.
  5. Copy the key shown in the popup and store it securely. You won't be able to see it again.

Important: The full key is only shown once, immediately after creation. If you lose it, you'll need to revoke and create a new one.

Limits

  • Default: 5 active keys per organization.
  • Extended limit (where the feature flag is enabled): 50 active keys per organization.

If you've hit the limit, the Create New Key button is disabled. Revoke an unused key to free up a slot.

Revoking a key

  1. Find the key in the table at Settings → API.
  2. Click Revoke in the Actions column.
  3. Confirm in the modal.

Revocation is immediate and permanent. Any system using that key will start receiving authentication errors.

What's shown in the table

  • Name — the descriptive name you gave the key.
  • API Key — the first few characters (the prefix) followed by asterisks. The prefix lets you identify a key without exposing it.
  • Created On — when the key was created.
  • Created By — which user created it.
  • Last Used — the most recent time a request was made with this key. Useful for spotting unused keys before revoking.

Best practices

  • Treat keys like passwords. Don't commit them to source control, paste them into chat, or share them in email. Use a secret manager.
  • Use descriptive names. When you have several keys, "Zapier — production" is much more useful than "Test 1" when deciding what to revoke.
  • Rotate regularly. Create a new key, switch the consumer over, then revoke the old one. The Last Used column helps confirm a key is no longer needed.
  • One key per consumer. Avoid sharing one key across multiple integrations — it makes rotation and revocation surgical.
  • Revoke when in doubt. If you suspect a key has leaked, revoke it immediately. Creating a new one is cheap.

Permissions

Only users with API key management permission (typically admins) can create or revoke keys. All keys created by anyone in the workspace are visible to anyone with this permission.

Scope & access

API keys can access all non-private calls in your organization. There is no way to scope a key to a single user, team, or project — treat each key as having full read access to org data.

Rate limits

The API enforces rate limits to keep the system stable. If you hit them, you'll get a 429 response — back off and retry. For details, see the API documentation and the Glyphic API overview.

FAQ

I lost a key. Can support recover it for me?

No. We never store the full key after creation — only the prefix and a hash. You'll need to create a new one and switch your consumer to it.

Why does the Created By column say "Unknown" for an old key?

Either the user who created the key has been removed from the workspace or the key predates the column. The key is still valid; you can revoke it from the Actions column either way.

How do I use a key in a request?

Send it in the X-API-Key header. See the API documentation for examples.

If you have questions about API keys, reach out to support@glyphic.ai.