Skip to main content
API keys are named credentials created by a signed-in YALG user from Settings > Developer.

Lifecycle

  1. Create a named key for an integration or environment.
  2. Copy the full secret once.
  3. Store it in a server-side secret manager or environment variable.
  4. Use it in the x-api-key header.
  5. Rotate it when team membership, infrastructure, or exposure risk changes.
  6. Revoke keys that are no longer needed.
API keys are shown once. Store them in a server-side secret manager or environment variable, and never expose them in client-side code.

Naming

Use names that make ownership and purpose obvious:
  • production-crm-sync
  • staging-internal-dashboard
  • zapier-content-pipeline
  • analytics-export-worker
Avoid generic names like test, my key, or integration.

Rotation

To rotate a key with minimal interruption:
  1. Create a new key.
  2. Deploy the new key to your integration.
  3. Confirm successful requests.
  4. Revoke the old key.

Access model

API keys inherit the feature access and resource ownership of the user who created them. If the owner does not have access to a feature, the key cannot use that feature.