Tenant API Keys
Programmatic API access using tenant-scoped API keys.
Overviewβ
Tenant API Keys provide an alternative to JWT authentication for machine-to-machine communication. Each key is scoped to a specific tenant.
Creating API Keysβ
POST /api/tenant-api-key
Authorization: Bearer {admin-token}
Content-Type: application/json
{
"name": "CI/CD Integration",
"expiresAt": "2025-12-31T00:00:00.000Z"
}
Using API Keysβ
Include the API key in the X-API-Key header:
GET /api/employee
X-API-Key: {api-key}
Key Propertiesβ
| Property | Description |
|---|---|
| Name | Human-readable key identifier |
| API Key | The secret key (shown once) |
| Expires At | Optional expiration date |
| Tenant | Scoped to creating tenant |
Security Considerationsβ
| Practice | Recommendation |
|---|---|
| Key storage | Store as environment variable |
| Rotation | Rotate quarterly |
| Expiration | Always set expiration dates |
| Minimum scope | Create purpose-specific keys |
| Revocation | Delete immediately if leaked |
Related Pagesβ
- Tenant Endpoints β tenant API
- API Security Best Practices β API security
- Secret Management β managing secrets