API & Integrations

How to generate and manage API keys

Overview

API keys authenticate your requests to the Userorbit REST API. Every API call must include a valid key in the Authorization header. This guide walks you through creating, managing, and securing your API keys.

Create a new API key

  1. Log in to Userorbit and go to Settings > API Keys from the left sidebar.
  2. Click Create API Key.
  3. Give the key a descriptive name that indicates its purpose, such as "Production backend" or "Zapier sync." This helps you identify keys later when you have several active at once.
  4. Click Create.
  5. Your new API key is displayed. Copy it immediately — Userorbit shows the full key only once. After you close the dialog, the key is masked and cannot be retrieved again.

Store your key securely

Treat API keys like passwords. Follow these practices:

  • Store keys in environment variables or a secrets manager (such as AWS Secrets Manager, Vault, or your CI/CD platform's secrets store). Never hard-code keys in source code.
  • Do not commit keys to version control. Add .env files to your .gitignore.
  • Limit access to keys on a need-to-know basis within your team.

Use the key in API requests

Include the key in the Authorization header as a Bearer token. Every request must also include your team ID in the x-team-id header:

Authorization: Bearer YOUR_API_KEY

x-team-id: YOUR_TEAM_ID

If the key is missing or invalid, the API returns a 401 Unauthorized response.

Rotate keys

Rotating keys periodically reduces risk if a key is accidentally exposed. To rotate:

  1. Create a new API key following the steps above.
  2. Update your applications and integrations to use the new key.
  3. Verify that all systems are working with the new key.
  4. Revoke the old key (see below).

Avoid deleting the old key before your systems have migrated — this would cause downtime for any service still using it.

Revoke a compromised key

If you suspect a key has been leaked or compromised, revoke it immediately:

  1. Go to Settings > API Keys.
  2. Find the key in the list. Use the name you assigned to identify it.
  3. Click the Revoke button next to the key.
  4. Confirm the action. The key is invalidated instantly and any request using it will receive a 401 response.

After revoking, create a replacement key and update your services.

Best practices

  • One key per service — Create separate keys for each application or integration that calls the API. This way you can revoke one key without affecting others.
  • Name keys clearly — Descriptive names like "Staging backend" or "Data pipeline" make it easy to audit which key belongs to which system.
  • Audit regularly — Review your active keys periodically from the API Keys settings page. Revoke any keys that are no longer in use.
  • Monitor usage — Watch for unexpected spikes in API traffic, which could indicate a leaked key being exploited.

Was this page helpful?