Skip to main content

API Keys

API Keys​

APIO uses API Keys to authenticate all interactions with the API.
If you make a request without a valid API Key, or if the provided key is incorrect, APIO will return an authentication error.

API Keys allow APIO to identify your account, enforce permissions, and ensure secure access to your resources.

Environments​

APIO operates with two separate environments:

  • Test Mode – Used for development and testing
  • Live Mode – Used for production operations

Each API Key is associated with one environment only, and resources created in one environment cannot be accessed or modified from the other.

API Key Usage​

APIO API Keys are secret credentials and must be treated as sensitive information.

  • API Keys must be used only from your backend
  • Never expose API Keys in client-side applications or public repositories

Each API Key has a defined set of permissions, which determine what actions can be performed using that key.

Getting Your API Key​

To obtain an API Key, you must contact APIO Support.

API Keys are generated and delivered securely based on:

  • Your organization
  • The environment (Test or Live)
  • The permissions required for your integration

🚧 Important
API Keys are provided only once. Make sure to store them securely in your backend or secrets manager.

Managing API Key Permissions​

Each API Key is created with a specific set of permissions.

If you need to modify the permissions associated with an API Key:

  • In most cases, you must request a new API Key
  • In some cases, APIO Support may update the permissions of an existing key

To request a change, contact APIO Support with:

  • The API Key or environment
  • The permissions to add or remove
  • The reason for the request

Rotating API Keys​

We recommend rotating your API Keys periodically to ensure security.

To rotate an API Key:

  • Contact APIO Support
  • A new API Key will be issued
  • Update your backend to use the new key
  • Revoke the old key once migration is complete

Security Best Practices​

  • Store API Keys using environment variables or a secrets manager
  • Never expose API Keys in frontend code
  • Rotate keys regularly
  • Request only the permissions your integration requires