...
API-Key are randomly generated string you can use to authenticate and authorize requests. They are essentially designed for Machine to Machine communication and don’t rely on session or interactive mechanisms such as login and password prompt, but can also be used to grant temporary access to resources thanks to the built in expiration - See Fully (see the fully qualified link documentation).
...
| Info |
|---|
The API calls example below hide the Authorization header, but all calls are made on endpoints requiring proper authentication and authorization to manage users, roles and api-keys. You can use the interactive Swagger UI to make the calls below after login with your user and password. |
Use your own tenant URL: in the example below we’ll use the alfredo organization on Q.
Creation
Before creating an API-Key, you must properly set up the roles and users in your tenant:
...
The roles list is passed at API-Key creation and cannot be modified after: a token roles are immutable.
...
You can alter role to add or remove permissions, depending on your intention. Keep in mind you should grant only the required permissions for your application, and not grant all permissions.
You must use the same roles for the API-Key and the matching user: you can’t use different ones even if they have the same permissions
User
Each API-Key is explicitly bound to a user at creation and any action done with this token will appear as made by this user. It must be an already existing user and have at least the permissions roles you want to give to the token.
...
The API-Key will be removed and cannot be recovered ; since it is randomly generated you won’t can’t get the same token again.