# API Keys

Learn how to create and manage API keys for programmatic access.

### What are API Keys?

API keys are credentials that allow you to:

* Access the Kaana API programmatically
* Build custom integrations
* Automate workflows
* Connect third-party tools

### Accessing API Key Settings

{% stepper %}
{% step %}
Go to **Settings** and select **API Keys**.

Note: Requires appropriate permissions.
{% endstep %}
{% endstepper %}

### Creating an API Key

#### Generate a New Key

{% stepper %}
{% step %}
Click **+ Create API Key**.
{% endstep %}

{% step %}
Enter a name for the key (e.g., "Zapier Integration").
{% endstep %}

{% step %}
Click **Create**.
{% endstep %}

{% step %}
Copy the key immediately — it's only shown once!
{% endstep %}
{% endstepper %}

#### Key Naming

Use descriptive names:

* Include the purpose: "Slack Integration"
* Include environment: "Dev Testing Key"
* Include owner if shared: "John's Dashboard Key"

### Viewing Your Keys

Your API keys list shows:

* Key name
* Created date
* Last used date
* Status (active/revoked)

You cannot view the full key after creation.

### Using Your API Key

#### In API Requests

Include the key in the Authorization header:

```
Authorization: Bearer YOUR_API_KEY
```

#### Example with cURL

```bash
curl -X GET "https://app.kaana.com/api/projects" \
  -H "Authorization: Bearer abc123def456..." \
  -H "Content-Type: application/json"
```

#### Example with JavaScript

```javascript
fetch('https://app.kaana.com/api/projects', {
  headers: {
    'Authorization': 'Bearer abc123def456...',
    'Content-Type': 'application/json'
  }
})
```

#### Example with Python

```python
import requests

headers = {
  'Authorization': 'Bearer abc123def456...',
  'Content-Type': 'application/json'
}

response = requests.get('https://app.kaana.com/api/projects', headers=headers)
```

### Revoking Keys

If a key is compromised or no longer needed:

{% stepper %}
{% step %}
Go to **Settings** > **API Keys**.
{% endstep %}

{% step %}
Find the key.
{% endstep %}

{% step %}
Click **Revoke**.
{% endstep %}

{% step %}
Confirm revocation.

Revoked keys immediately stop working. This cannot be undone.
{% endstep %}
{% endstepper %}

### Security Best Practices

#### Keep Keys Secret

* Never share keys publicly
* Don't put keys in source code
* Use environment variables
* Don't email keys

#### Store Securely

Good practices:

* Use a secrets manager
* Use environment variables
* Encrypt at rest

Bad practices:

* Storing in plain text files
* Committing to git repositories
* Sharing via unsecured channels

#### Rotate Keys

{% stepper %}
{% step %}
Create a new key.
{% endstep %}

{% step %}
Update your integrations.
{% endstep %}

{% step %}
Revoke the old key.
{% endstep %}
{% endstepper %}

#### Least Privilege

* Create separate keys for different uses
* Revoke keys you no longer need
* Audit key usage regularly

#### Key Permissions

API keys inherit your account permissions:

* If you're an admin, the key has admin access
* Tenant isolation is enforced
* You can only access your organization's data

### Troubleshooting

<details>

<summary>"Invalid API Key" Error</summary>

* Verify the key is correct (no extra spaces)
* Check if the key was revoked
* Ensure you're using Bearer authentication

</details>

<details>

<summary>"Unauthorized" Error</summary>

* Verify you have permission for the action
* Check if your account is active
* Confirm you're accessing the correct tenant

</details>

<details>

<summary>Key Not Working</summary>

Create a test request to /api/user.If it works, the issue is with the specific endpoint.If it fails, the key may be revoked or invalid.

</details>

### Limits

#### Number of Keys

You can create multiple API keys:

* Standard: Up to 5 active keys
* Enterprise: Unlimited keys

#### Rate Limits

API keys share your account's rate limits:

* 100 requests/minute (standard)
* Higher limits for enterprise

### Best Practices Summary

{% stepper %}
{% step %}
Name keys descriptively — Know what each key is for.
{% endstep %}

{% step %}
Store securely — Use environment variables or secrets managers.
{% endstep %}

{% step %}
Rotate regularly — Replace keys periodically.
{% endstep %}

{% step %}
Revoke when done — Remove unused keys.
{% endstep %}

{% step %}
Monitor usage — Watch for unusual activity.
{% endstep %}

{% step %}
Use separate keys — One per integration.
{% endstep %}
{% endstepper %}