> ## Documentation Index
> Fetch the complete documentation index at: https://docs.introw.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Create and manage API keys

> Create a scoped, time-limited API key, capture its one-time secret, and revoke it when it is no longer needed.

An API key is what authenticates your code to the Introw REST API. This guide covers the full key lifecycle: creating one with the right permissions and an expiry, capturing the secret the one time it is shown, and revoking it the moment it is no longer needed or might be exposed. Scoping each key tightly keeps an integration's access to exactly what it requires, and nothing more.

## What you'll achieve

A scoped, time-limited API key that your integration uses to authenticate against the Introw REST API, with a clean way to retire it. The key carries only the permissions you grant, expires on the date you choose, and stops working immediately when you revoke it.

## Before you start

<Steps>
  <Step title="Confirm API access is on your plan">
    The Introw API is a paid add-on. If the **Create key** control is unavailable, API access is not enabled on your plan.
  </Step>

  <Step title="Have the Developers permission">
    You need the Developers settings permission on your role to create or revoke keys.
  </Step>

  <Step title="Plan the scopes">
    Know which resources the integration reads or writes (partners, commissions, affiliate conversions, or portal sessions) so you grant the minimum it needs.
  </Step>
</Steps>

## Watch it

<Tabs>
  <Tab title="Video">
    <video controls playsInline preload="none" poster="https://assets.introw.io/docs/features/developer/api/guides/create-and-manage-api-keys/steps/01.png?v=1783353180" className="w-full rounded-xl" src="https://assets.introw.io/docs/features/developer/api/guides/create-and-manage-api-keys/video.webm?v=1783353180#t=2.5" />
  </Tab>

  <Tab title="Click through">
    <iframe className="w-full rounded-xl" style={{ width: "100%", aspectRatio: "16 / 11", border: 0, backgroundColor: "#FAFAFA" }} src="https://assets.introw.io/docs/features/developer/api/guides/create-and-manage-api-keys/walkthrough.html?v=1783353180" />
  </Tab>
</Tabs>

## Steps

### Create and capture the key

<Steps>
  <Step title="Open API Keys">
    Go to [API Keys](https://app.introw.io/settings/developers/api-keys) under Developers. The list shows each key's name, a masked key, when it was created and by whom, its expiry, last-used time, and permissions. Select **Create key** to open the create dialog.

    <Frame>
      <img src="https://assets.introw.io/docs/features/developer/api/guides/create-and-manage-api-keys/steps/01.png?v=1783353180" alt="Open API Keys" />
    </Frame>
  </Step>

  <Step title="Name the key">
    Set a **Name** that identifies where the key is used, for example the integration or product it belongs to (such as "Introw x Lovable"). The name is how you recognize the key later in the list and when you decide what to revoke, so make it specific rather than generic.

    <Frame>
      <img src="https://assets.introw.io/docs/features/developer/api/guides/create-and-manage-api-keys/steps/03.png?v=1783353180" alt="Name the key" />
    </Frame>
  </Step>

  <Step title="Choose permissions">
    Under **Permissions**, grant read or write per resource group. Select the minimum the integration needs, the smaller the scope, the smaller the blast radius if the key ever leaks.

    * **Partners** - **Read** to list and inspect partner records, **Write** to create and update them. Most read-only integrations need only **Read**.
    * **Commissions** - **Read** to read commission payouts, **Write** to manage commission line items.
    * **Affiliate** - **Write** records affiliate conversions server-to-server. This group only appears when the affiliate campaigns module is enabled on your plan; if you do not run affiliate campaigns, you will not see it.
    * **Portal sessions** - **Write** creates authenticated partner portal session links. Grant this only for a portal embed integration (see [Embed the partner portal](/features/developer/embed/guides/embed-the-partner-portal)).

    <Frame>
      <img src="https://assets.introw.io/docs/features/developer/api/guides/create-and-manage-api-keys/steps/04.png?v=1783353180" alt="Choose permissions" />
    </Frame>
  </Step>

  <Step title="Set the expiry">
    Choose an **Expiry date** so the key does not outlive its use. Options are **90 days**, **180 days** (the recommended default), **365 days**, and **Never expires** (not recommended). Pick the shortest window that fits the integration's lifecycle; you can always create a replacement before the old one lapses. Select **Create key** to generate it.

    <Frame>
      <img src="https://assets.introw.io/docs/features/developer/api/guides/create-and-manage-api-keys/steps/05.png?v=1783353180" alt="Set the expiry" />
    </Frame>
  </Step>

  <Step title="Copy the secret now">
    Introw shows the full key once, in the **Copy your API key** dialog, prefixed with `ink_`. Copy it and store it in a secret manager before closing the dialog. The secret is never shown again, so if you lose it you must create a new key and revoke this one. Treat it like a password: never share it, paste it into support chats, or commit it to code.

    <Frame>
      <img src="https://assets.introw.io/docs/features/developer/api/guides/create-and-manage-api-keys/steps/07.png?v=1783353180" alt="Copy the secret now" />
    </Frame>
  </Step>

  <Step title="Send the key with your requests">
    Your code authenticates by sending the key in the `x-api-key` header on each request to `https://api.introw.io`. Keep the key server-side; never ship it in browser or mobile code.

    ```bash theme={"theme":{"light":"github-light","dark":"github-dark"}}
    curl https://api.introw.io/api/v1/<endpoint> \
      -H "x-api-key: $INTROW_API_KEY"
    ```

    See the [API Reference](/general/introduction) for the available endpoints, request and response shapes, and per-language code samples.
  </Step>
</Steps>

### Revoke a key when it is no longer needed

<Steps>
  <Step title="Find the key">
    Back on the **API Keys** list, locate the key by its **Name**. If it is still in active use, create its replacement first so you can swap the secret without downtime.

    <Frame>
      <img src="https://assets.introw.io/docs/features/developer/api/guides/create-and-manage-api-keys/steps/08.png?v=1783353180" alt="Find the key" />
    </Frame>
  </Step>

  <Step title="Revoke it">
    Open the key's row menu and choose **Revoke**, then confirm in the **Revoke API key** dialog. Revoking stops the key from authenticating immediately, so do this as soon as a key is retired or you suspect it has been exposed. A revoked key cannot be restored; issue a new one if you need access again.
  </Step>
</Steps>

## Verify it worked

A request that sends the key in the `x-api-key` header succeeds for the scopes you granted and is rejected for scopes you did not, and the key's **Last used** time updates on the API Keys list. After you revoke a key, the same request is rejected immediately.

## Related

<CardGroup cols={2}>
  <Card title="Implementation reference" icon="screwdriver-wrench" href="../technical">
    Settings, plan requirements, and troubleshooting for API keys.
  </Card>

  <Card title="Authentication" icon="lock" href="/general/authentication">
    How to send the key with requests.
  </Card>

  <Card title="API reference" icon="code" href="/general/introduction">
    Endpoints, schemas, and code samples.
  </Card>

  <Card title="Embed the partner portal" icon="window-maximize" href="/features/developer/embed/guides/embed-the-partner-portal">
    Uses a key with the portal sessions scope.
  </Card>
</CardGroup>
