Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.appnigma.ai/llms.txt

Use this file to discover all available pages before exploring further.

Overview

An API key authenticates requests made on behalf of an OAuth integration. Each key is scoped to a single integration and is returned exactly once at creation time — the secret value cannot be retrieved afterward, so it must be stored securely immediately. Every API key generated for an integration includes:
  • A private API key — used as a bearer credential in API requests. Shown only at creation.
  • A public key — a non-secret identifier that can be shared or logged.
  • A user-provided label to distinguish keys in dashboards and audit logs.

Prerequisites

1

A configured integration

You must have an integration in configured status. See Create an Integration if you haven’t set one up yet.
2

Permission to manage keys

Your account must have permission to create API keys within the workspace that owns the integration.

Generate via the UI

1

Open the integration's API Keys tab

From OAuth → Integrations, click the integration you want to issue a key for, then select the API Keys tab on its detail page (/oauth/{integrationId}).
OAuth Integrations page in the sidebar with Add Integration visible.
2

Click 'Generate API key'

The button in the top-right of the API Keys tab opens the Create API Key form at /api-keys/create with the integration pre-selected.
OAuth Integrations page in the sidebar with Add Integration visible.
OAuth Integrations page in the sidebar with Add Integration visible.
3

Name the key

Enter a descriptive API Key Name (e.g. Production Backend, Local Development, CI Runner). This label helps identify the key later when auditing or revoking.
4

Click 'Save & Generate Key'

The platform creates the key and redirects you to the confirmation page.
5

Copy and store the key

Immediately copy the API Key Value and (optionally) the Public Key using the copy buttons. Store the private key in a secrets manager or environment variable. Once you navigate away, the private key can never be viewed again.
OAuth Integrations page in the sidebar with Add Integration visible.
This is your only chance to view the API key value. The platform does not store the plaintext secret — only a hashed version used for verification. If you lose the key, you must revoke it and generate a new one.
If you arrived on the form from the integration’s API Keys tab, clicking Done will return you directly back to that tab so you can verify the new key appears in the list.

Revoke a key

Revocation is immediate and irreversible. Any request using the revoked key will begin returning 401 Unauthorized as soon as the call succeeds.
Revoking a key in production will break any service still using it. Generate and deploy a replacement key before revoking the old one.
You can revoke keys from the UI via:
  • The Revoke button on the API Key Created confirmation page (right after generation).
  • The revoke action in the API Keys tab on the integration detail page.
oauth revoke button

Security Best Practices

Never commit keys to source control

Store API keys in environment variables, secrets managers (AWS Secrets Manager, Vault, Doppler), or platform-native secret stores.

Use one key per environment

Generate separate keys for production, staging, and development so you can revoke them independently.

Rotate keys regularly

Create a replacement key, deploy it, then revoke the old key. Avoid gaps in coverage.

Label keys clearly

Use descriptive labels like api-gateway-prod or cron-worker-staging so you know which system owns each key when auditing.