Settings

API Keys

Create and manage API keys for programmatic access to Keva

API keys enable programmatic access to Keva's REST API. Use them for integrations, automations, and custom workflows while maintaining security best practices.

Overview

Keva API keys:

  • Use Bearer token authentication
  • Are prefixed with keva_live_ for easy identification
  • Are scoped to your organization
  • Support granular permissions
  • Are logged in the audit trail

Creating an API Key

Generate a New Key

  1. Navigate to Settings > API Keys
  2. Click Create Key
  3. Enter a descriptive name (e.g., "Zapier Integration")
  4. Select permissions for the key
  5. Click Create

Copy Your Key

The full API key is displayed only once. Copy it immediately:

keva_live_sk_a1b2c3d4e5f6...

Store the key securely. If lost, you must create a new key.

Key Format

Keva API keys follow this format:

keva_live_sk_{random_string}
  • keva_live_ - Identifies the key as a Keva production key
  • sk_ - Secret key identifier
  • {random_string} - Cryptographically secure random characters

Using API Keys

Authentication Header

Include the key in the Authorization header:

curl -X GET https://api.keva.support/v1/tickets \
  -H "Authorization: Bearer keva_live_sk_a1b2c3d4e5f6..."

SDK Usage

import { KevaClient } from '@keva/sdk';
 
const keva = new KevaClient({
  apiKey: 'keva_live_sk_a1b2c3d4e5f6...'
});
 
const tickets = await keva.tickets.list();

Managing API Keys

View Keys

The API Keys page shows:

  • Key name
  • Partial key (last 4 characters)
  • Created date
  • Last used date
  • Created by

Rename a Key

  1. Find the key in the list
  2. Click the Edit button
  3. Enter the new name
  4. Click Save

Delete a Key

  1. Find the key to delete
  2. Click Delete
  3. Confirm deletion

Deleted keys are immediately revoked. Any requests using the key will fail.

Permission Requirements

ActionRequired Permission
View API keysapi_keys.view
Create keysapi_keys.create
Delete keysapi_keys.delete

Security Best Practices

Use Descriptive Names

Name keys by their purpose:

  • "Zapier Production"
  • "Internal Dashboard"
  • "CI/CD Pipeline"

This helps identify keys for rotation and deletion.

Rotate Keys Regularly

Rotate API keys every 90 days:

  1. Create a new key
  2. Update your integration
  3. Verify the new key works
  4. Delete the old key

Limit Key Permissions

Create keys with only the permissions needed:

  • Read-only integrations: View permissions only
  • Ticket creation: tickets.create only
  • Full integration: All required permissions

Monitor Key Usage

Review API key activity regularly:

  • Check "Last Used" dates
  • Delete unused keys
  • Investigate unexpected usage

Never Share Keys

  • Don't commit keys to source control
  • Use environment variables
  • Don't share keys via email or chat
  • Use secret management tools

Secure Storage

Store keys in:

  • Environment variables
  • Secret management services (AWS Secrets Manager, HashiCorp Vault)
  • Encrypted configuration files

Never store in:

  • Source code
  • Plain text files
  • Browser storage
  • Logs

Rate Limits

API keys are subject to rate limits:

PlanRequests/minute
Starter60
Growth300
Scale1,000
EnterpriseCustom

Rate limit headers are included in responses:

  • X-RateLimit-Limit - Maximum requests
  • X-RateLimit-Remaining - Requests remaining
  • X-RateLimit-Reset - Reset timestamp

Audit Trail

API key actions are logged:

  • api_key.created - New key generated
  • api_key.deleted - Key revoked
  • api_key.used - API request made (sampled)

All API requests include the key identifier in audit logs for traceability.