Admin

API keys/webhooks

Prepare integrations safely without exposing secrets in the UI.

Updated: 2026-06-10apikeyswebhooks

API keys and webhook secrets enable machine access and must be treated as credentials. They must never appear in client code, screenshots, tickets or public repositories.

Create a key

Create a key only for the required workspace and purpose. Use a clear label, limit permissions and store the displayed value immediately in a secret manager.

Secure use

Send requests only over TLS, enforce authentication and rate limits, and never log complete keys. Webhook receivers must validate signatures and time context.

Rotate and revoke

Rotate regularly and immediately after suspected exposure. Revoke old values only after dependent systems have been moved in a controlled way, then review errors and deliveries.

Back to Help CenterContact support