API Keys
API keys allow you to access the REV23 API from your own applications and scripts. Each key is tied to a specific user and carries a subset of that user’s permissions.
Creating an API Key
Section titled “Creating an API Key”API keys are created in REV23 Cloud. Navigate to your API Keys settings and create a new key by providing:
- Name — A display name to help you identify this key (e.g., “My Integration”).
- Permissions — Select which permissions to grant. Must be a subset of your own user permissions.
After creation, the full API key is displayed. This is the only time the key is shown. Copy and store it securely — it cannot be retrieved again. You can identify the key later by its prefix (the first 12 characters shown in the key list).
Making Requests
Section titled “Making Requests”Every API request using an API key requires two headers:
| Header | Description |
|---|---|
X-Api-Key | Your API key |
X-Tenant-Name | Your Cloud Studio name (the subdomain portion of your studio URL — e.g. if your studio is at mystudio.rev23.com, use mystudio) |
Example
Section titled “Example”curl -X GET "https://cloudappapi.rev23.com/api/v2/customers" \ -H "X-Api-Key: ca_a1b2c3d4e5f6..." \ -H "X-Tenant-Name: mystudio"Permissions
Section titled “Permissions”API keys use the same permission system as user accounts. When creating a key, you select which permissions to grant from those available to your user account.
For example, if your user has read:customer, write:customer, and read:service, you could create a key with just read:customer and read:service — limiting the key to read-only access.
Rate Limiting
Section titled “Rate Limiting”API key requests are rate limited to 200 requests per minute per key. If you exceed this limit, you will receive an HTTP 429 (Too Many Requests) response.
Managing Keys
Section titled “Managing Keys”You can manage your API keys from the same settings page where you created them.
- Deactivate a key to temporarily stop it from working without deleting it. You can reactivate it later.
- Delete a key to permanently revoke access.
Security Best Practices
Section titled “Security Best Practices”- Store keys securely. Treat API keys like passwords. Do not commit them to source control or expose them in client-side code.
- Use minimal permissions. Only grant the permissions your integration actually needs.
- Set expiration dates for keys used in temporary or time-limited integrations.
- Rotate keys periodically. Create a new key, update your integration, then delete the old one.
- Deactivate unused keys rather than leaving them active indefinitely.