Managing API keys
API keys authenticate every integration request. One partner can have several keys — one per environment, per team, or per rotation window.
Create keys from Settings → Integrations → Partners → {partner} → API keys in the dashboard.
Recommended practice
- One key per environment. Separate staging and production keys. Never reuse.
- Scope tightly. Grant only the resources a key needs — a sync job that only pushes inventory doesn't need
integrations.orders.*. See Scopes. - Set an expiration. Rotate at least once a year. Annual rotation forces the operator to revisit who actually uses the key.
- Store in a secret manager. Treat the key string like a password. It's only shown once at creation.
- Rotate immediately if a key is suspected of exposure. Revoking takes effect on the next request.
What a key holds
| Field | Purpose |
|---|---|
name | Human label. Shown in usage logs. |
scopes | List of scope strings. See Scopes. |
expires_at | Optional. Once past, requests return 401. |
is_active | Revoke without deleting — flip to false. |
| Partner link | Each key belongs to exactly one integration partner. |
Rotating a key
- Create the new key with the same scopes.
- Deploy it to the integrating system.
- Verify traffic is flowing under the new key (see Integration Logs).
- Revoke the old key.
Overlap briefly; don't flip in one step.
Revoking
Either:
- Set
is_active = false— immediate, reversible. - Delete the key — immediate, irreversible; old references to the key string become unrecoverable.
Using the key
curl https://<your-tenant>.datamingle.ai/api/integrations/v1/orders/ \
-H "X-API-Key: sk_live_..."
See Authentication for failure-mode reference.