How API keys behave
- Each API key is specific to the environment it was generated in. A key created in production will not work in sandbox.
- A key holds the same permissions the creating user had at the moment it was generated. Later changes to that user’s permissions do not affect the key.
- Generating a new key does not invalidate previously generated keys. They keep working until disabled.
- Any automation using a key acts on behalf of the user who created it.
- A key is automatically disabled when its user is deactivated.
You need the
APIKeyObject family of permissions to work with API keys. See
the permissions
reference for
details.Create a key
An org admin provisions API keys. Each key is bound to a user identity in your organization. Audit logs then reflect which integration made each call.clientSecret is shown once. Capture it immediately and store it in a secrets manager such as AWS Secrets Manager, HashiCorp Vault, 1Password, or your CI/CD’s encrypted secrets store. ION cannot retrieve a secret after creation.
Get an access token
A key’sclientId and clientSecret exchange for a short-lived access token through the client-credentials grant. ION then accepts that token on the Authorization header. Most integrations use a small client library that handles the exchange and caching for you. See the Build an API client for a runnable example.
To exchange the credentials directly, POST a client_credentials grant to the auth server for your environment:
| App URI | Auth Server | API Endpoint |
|---|---|---|
staging.firstresonance.io / sandbox.firstresonance.io | staging-auth.buildwithion.com | https://staging-api.buildwithion.com |
app.firstresonance.io | auth.buildwithion.com | https://api.buildwithion.com |
staging.ion-gov.com / sandbox.ion-gov.com | auth-staging-gov.buildwithion.com | https://api-staging-gov.buildwithion.com |
app.ion-gov.com | auth-production-gov.buildwithion.com | https://api-production-gov.buildwithion.com |
staging.ion-aus.com | auth-staging-aus.buildwithion.com | https://api-staging-aus.buildwithion.com |
app.ion-aus.com | auth-production-aus.buildwithion.com | https://api-production-aus.buildwithion.com |
/graphql to the API endpoint for query requests, for example https://staging-api.buildwithion.com/graphql. For more runnable scripts, see the ion-examples repository.
List keys
List your organization’s API keys:Enable, disable, or regenerate a secret
Update a key with this mutation:enabled to false to disable a key. Set regenerateSecret to true to rotate its secret. Disabling takes effect immediately. The next request using that key returns 401 Unauthorized.
Rotate a key
Rotate an API key when:- The key might have been exposed, such as being committed to a public repo, leaked in logs, or held by an employee who has left.
- Your org’s security policy requires periodic rotation.
- An integration is being decommissioned.
- Provision a new key alongside the existing one.
- Deploy the new key to the integration and verify traffic is succeeding with it.
- Delete the old key.
Delete a key
Delete a key with this mutation:401 Unauthorized.