Administration
API Management
How to generate, use, and revoke API keys
API keys let you connect external tools and scripts to your Gridwork account programmatically. Each key grants access to your account's data through the API.
How API keys work
- Keys follow the format
gw_followed by a unique token. - When you create a key, the full secret is shown only once. Copy it immediately and store it securely.
- After creation, only a short prefix (e.g.,
gw_abc12...) is displayed in the dashboard for identification. - The full key is never stored in Gridwork — only a hashed version is kept for verification.
Viewing your keys
Navigate to Admin → API Keys in the sidebar. The page lists all active keys for your account, showing the prefix and when each key was last used.
Creating a key
- Click Generate API Key.
- Give the key a name or label so you can identify its purpose later.
- Click Create.
- Copy the key immediately — you will not be able to see it again.
Tip: Store API keys in a secure location like a password manager or environment variable. Never commit keys to source code.
Revoking a key
If a key is compromised or no longer needed:
- Find the key in the list.
- Click Revoke.
- Confirm the action.
Revoked keys stop working immediately and cannot be restored. You will need to generate a new key if access is still required.
Security best practices
- Rotate keys periodically — Replace keys on a regular schedule to reduce risk.
- Use the fewest keys possible — Each key is an access point. Only create what you need.
- Monitor usage — Check the "last used" timestamp to spot inactive or suspicious keys.
- Transmit securely — Always send API keys via the
Authorizationheader, never in URLs or request bodies.
Still need help? Contact support