Search through more than a hundred articles on every aspect of User.com

Dawid Gulbicki
Written by Dawid Gulbicki

How to create and manage API keys?

Learn how to create API Keys and manage their setting to enhance data security


One of the crucial aspects of implementing the User.com Marketing Automation Platform is ensuring that you work with up-to-date information about your customers. Recognizing the importance of these integrations, we provide a robust API that enables your software to connect directly with our platform. 

This guide will walk you through the creation and management of your API keys, essential for the secure exchange of data between your data sources and the User.com application.

Create API keys - step by step guide

  1. In your User.com application go to: Settings - App Settings - Advanced - Public API

  2. Click the “Create API key” button in the top-right corner of the page.

  3. Set the necessary parameters in the key creation window.

The name is only used for you to recognize for which connection was the given key created.  Below you’ll find the further explanation of remaining security settings to which we refer to as API Shield.

User.com API Shield

To maintain the highest quality of services and ensure robust data security, we have enhanced our API keys with additional functionalities known as the API Shield.

This feature is designed to provide an extra layer of security for the API communication with our platform.

The scope settings

The scope functionality of the API key enables specific permissions to be set, controlling the level of access to the API. There are three scope settings available:

  • Read Only: This setting allows the API key to access data without making any changes. It can retrieve information but cannot modify, create, or delete any data. This is ideal for applications or users who need to view data without altering it.

  • Write Only: This setting permits the API key to modify, create, and delete data but does not allow it to read or retrieve any existing data. This can be useful for background processes or applications that need to send data to the server without accessing existing information.

  • All: This setting grants the API key full access, enabling it to read and write data. It can retrieve, create, modify, and delete data. This setting is suitable for applications or users that require comprehensive interaction with the data.

Implementing the "scope" functionality allows for precise control over access, ensuring that users and applications have only the necessary permissions, thus enhancing security and data protection.

Setting the expiration date

The "Day of expire" function for an API key determines the exact date when the API key will become invalid. This feature allows administrators to enhance security and control by setting a predetermined expiration date for each API key.

  • Automatic Deactivation: Once the set expiration date is reached, the API key is automatically deactivated, preventing it from accessing the API and ensuring it cannot be used further. Renewal or extension of the key is not possible.

  • Expiration Reminder Notification: Two weeks before the expiration date, we send an email notification to both the key author and the application owner to alert them of the upcoming deactivation.

Incorporating the "day of expire" function allows for better management of API access, enhances security, and ensures that API keys are used within a defined timeframe.

One-Time View Functionality

The one-time view functionality ensures that the full API key is displayed only once at the time of its creation. Here’s how it works:

  • Full Display at Creation: When a new API key is generated, it is fully displayed just once. This is the only opportunity to view and securely store the entire key.

  • Partial Visibility for Security: After the initial display, the system masks the key, showing only the last four characters. This helps protect the key from being exposed or compromised.

IP Whitelisting Functionality for API Keys

IP whitelisting allows administrators to create a list of approved IP addresses from which API keys can be used. This feature adds an extra layer of security by restricting API key usage to designated locations.

  • Adding Multiple IP Addresses: Administrators have the capability to add multiple IP addresses to the whitelist, limiting API access exclusively to these locations.

  • Application-Wide Whitelist: Any IP addresses added to the whitelist are applied to all API keys generated within a specific application. Consequently, every key created for the application will be restricted to the same set of approved IP addresses.

Summary

Features like scope settings, expiration controls, one-time visibility, and IP whitelisting form the cornerstone of secure API management. By understanding and applying these functionalities, you ensure that your API integrations are secure, controlled, and compliant with best practices.

If you wish to learn more about using REST API to connect your software with the User.com application, please refer to our REST API documentation.

Categories: