API Keys
API keys provide secure access to Crane Ledger's REST API. Each API key is organization-scoped and includes configurable permissions, usage tracking, and automatic rotation capabilities. API keys are the primary authentication method for programmatic access to your accounting data.
Authentication
API Key Header
All API requests require authentication using the Authorization header with your API key:
Authorization: Bearer cl_test_xxxxxxxxxxxxxxxxxxxxxxxx
Key Format
- Test Keys: Start with
cl_test_(for development and testing) - Live Keys: Start with
cl_live_(for production use) - Length: 32-character secure random strings
Security Features
- Organization Scoping: Keys only access data within their organization
- Permission Controls: Configurable access levels per key
- Usage Tracking: Automatic monitoring of API calls and costs
- Expiration: Optional automatic key expiration
- Rotation: Secure key replacement without service interruption
The API Key Object
GET
/organizations/:organization_id/api-keys/:idAuth required
{
"id": "key_xxxxxxxxxxxxxxxx",
"organization_id": "org_xxxxxxxxxxxxxxxx",
"name": "Production API Key",
"description": "Main API key for production application",
"key_preview": "cl_live_xxxx...xxxx",
"permissions": {
"accounts": ["read", "write"],
"transactions": ["read", "write"],
"reports": ["read"],
"api_keys": ["read"]
},
"status": "Active",
"expires_at": "2025-01-15T00:00:00Z",
"last_used_at": "2024-01-10T14:30:00Z",
"usage_this_month": 1250,
"created_at": "2024-01-01T10:00:00Z",
"updated_at": "2024-01-01T10:00:00Z"
}
Attributes
| Attribute | Type | Description |
|---|---|---|
id | string | Unique identifier with key_ prefix |
organization_id | string | The organization this key belongs to |
name | string | Display name for the API key |
description | string | Optional description of the key's purpose |
key_preview | string | Masked preview of the actual API key |
permissions | object | Granular permissions for different resources |
status | enum | Active, Expired, Revoked |
expires_at | datetime | Optional expiration date |
last_used_at | datetime | When the key was last used |
usage_this_month | integer | Number of API calls this month |
created_at | datetime | When the key was created |
updated_at | datetime | When the key was last updated |
List API Keys
GET
/organizations/:organization_id/api-keysAuth required
Returns a list of API keys for the organization. Actual API keys are never returned in full - only masked previews are shown.
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
organization_id | string | Yes | The organization ID |
Query Parameters
| Parameter | Type | Description |
|---|---|---|
status | enum | Filter by status (Active, Expired, Revoked) |
limit | integer | Number of results (default: 20, max: 100) |
offset | integer | Pagination offset |
Response
{
"object": "list",
"data": [
{
"id": "key_xxxxxxxxxxxxxxxx",
"name": "Production API Key",
"key_preview": "cl_live_xxxx...xxxx",
"status": "Active",
"last_used_at": "2024-01-10T14:30:00Z",
"usage_this_month": 1250,
"created_at": "2024-01-01T10:00:00Z"
},
{
"id": "key_yyyyyyyyyyyyyyyy",
"name": "Development API Key",
"key_preview": "cl_test_xxxx...xxxx",
"status": "Active",
"last_used_at": "2024-01-09T09:15:00Z",
"usage_this_month": 45,
"created_at": "2023-12-15T16:20:00Z"
}
],
"has_more": false,
"total_count": 2
}
Create API Key
POST
/organizations/:organization_id/api-keysAuth required
1 credits
Creates a new API key for the organization. The full API key is returned only once during creation - store it securely as it cannot be retrieved later.
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
organization_id | string | Yes | The organization ID |
Request Body
| Parameter | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Display name for the API key |
description | string | No | Description of the key's purpose |
permissions | object | No | Granular permissions (defaults to full access) |
expires_at | datetime | No | Optional expiration date |
Permissions Structure
{
"permissions": {
"accounts": ["read", "write"],
"transactions": ["read"],
"reports": ["read", "write"],
"api_keys": ["read"],
"organizations": ["read"]
}
}
Available permissions:
- read: View/list resources
- write: Create/update resources
- delete: Delete resources
Response
{
"id": "key_xxxxxxxxxxxxxxxx",
"organization_id": "org_xxxxxxxxxxxxxxxx",
"name": "Mobile App API Key",
"description": "API key for mobile application",
"api_key": "cl_test_abcdefghijklmnopqrstuvwxyz012345",
"permissions": {
"accounts": ["read"],
"transactions": ["read", "write"],
"reports": ["read"]
},
"status": "Active",
"expires_at": "2025-01-15T00:00:00Z",
"created_at": "2024-01-10T14:30:00Z",
"updated_at": "2024-01-10T14:30:00Z"
}
Secure Key Storage
The full API key is returned only once during creation. Store it securely in environment variables or a secure key management system. Never commit API keys to version control or expose them in client-side code.
Get API Key
GET
/organizations/:organization_id/api-keys/:idAuth required
Retrieves the details of a specific API key. The full API key value is never returned - only a masked preview.
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
organization_id | string | Yes | The organization ID |
id | string | Yes | The API key ID |
Response
{
"id": "key_xxxxxxxxxxxxxxxx",
"organization_id": "org_xxxxxxxxxxxxxxxx",
"name": "Mobile App API Key",
"description": "API key for mobile application",
"key_preview": "cl_test_xxxx...xxxx",
"permissions": {
"accounts": ["read"],
"transactions": ["read", "write"],
"reports": ["read"]
},
"status": "Active",
"expires_at": "2025-01-15T00:00:00Z",
"last_used_at": "2024-01-10T14:30:00Z",
"usage_this_month": 45,
"created_at": "2024-01-10T14:30:00Z",
"updated_at": "2024-01-10T14:30:00Z"
}
Update API Key
PUT
/organizations/:organization_id/api-keys/:idAuth required
1 credits
Updates an existing API key's metadata, permissions, or expiration.
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
organization_id | string | Yes | The organization ID |
id | string | Yes | The API key ID |
Request Body
| Parameter | Type | Description |
|---|---|---|
name | string | Updated display name |
description | string | Updated description |
permissions | object | Updated permissions |
expires_at | datetime | Updated expiration date |
Response
{
"id": "key_xxxxxxxxxxxxxxxx",
"name": "Updated Mobile App Key",
"description": "Updated permissions for mobile app",
"permissions": {
"accounts": ["read", "write"],
"transactions": ["read", "write"],
"reports": ["read"],
"invoices": ["read", "write"]
},
"updated_at": "2024-01-11T09:15:00Z"
}
Rotate API Key
POST
/organizations/:organization_id/api-keys/:id/rotateAuth required
1 credits
Creates a new API key with the same permissions and settings, while keeping the old key temporarily active for a grace period. This allows for seamless key rotation without service interruption.
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
organization_id | string | Yes | The organization ID |
id | string | Yes | The API key ID to rotate |
Response
{
"id": "key_yyyyyyyyyyyyyyyy",
"organization_id": "org_xxxxxxxxxxxxxxxx",
"name": "Mobile App API Key (Rotated)",
"api_key": "cl_test_newkeyabcdefghijklmnopqrstuvwxyz",
"permissions": {
"accounts": ["read", "write"],
"transactions": ["read", "write"],
"reports": ["read"],
"invoices": ["read", "write"]
},
"status": "Active",
"expires_at": "2025-01-15T00:00:00Z",
"created_at": "2024-01-11T10:30:00Z",
"rotated_from": "key_xxxxxxxxxxxxxxxx"
}
Key Rotation Process
When rotating a key:
- A new key is created with identical permissions
- The old key remains active for 7 days to allow migration
- Update your applications to use the new key
- The old key automatically expires after the grace period
Revoke API Key
DELETE
/organizations/:organization_id/api-keys/:idAuth required
1 credits
Immediately revokes an API key, preventing all future API calls using that key.
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
organization_id | string | Yes | The organization ID |
id | string | Yes | The API key ID to revoke |
Response
{
"id": "key_xxxxxxxxxxxxxxxx",
"status": "Revoked",
"revoked_at": "2024-01-11T11:00:00Z"
}
API Key Best Practices
Key Management
- Environment Separation: Use separate keys for development, staging, and production
- Minimal Permissions: Grant only necessary permissions for each use case
- Regular Rotation: Rotate keys every 90-180 days or when team members change
- Naming Conventions: Use descriptive names indicating purpose and environment
Security Practices
- Secure Storage: Store keys in environment variables or secure vaults
- No Hardcoding: Never embed API keys in source code or client-side applications
- Access Control: Limit key access to authorized team members only
- Monitoring: Regularly review key usage and unusual activity
Permission Design
- Read-Only Keys: For reporting and analytics applications
- Write-Only Keys: For data import and transaction creation
- Admin Keys: Full access for management applications
- Scoped Keys: Limited to specific resources or operations
Usage Monitoring
- Rate Limiting: Monitor API call patterns to detect abuse
- Cost Tracking: Track credit usage per key for budgeting
- Audit Logs: Maintain logs of key usage for compliance
- Alerts: Set up notifications for unusual usage patterns
Common Patterns
- Service Accounts: Dedicated keys for automated systems
- User-Specific Keys: Individual keys for different users/applications
- Temporary Keys: Short-lived keys for testing or integrations
- Emergency Keys: Backup keys for incident response
Key Compromise
If you suspect an API key has been compromised:
- Immediately revoke the compromised key
- Create a new key with minimal permissions
- Update all applications using the old key
- Review access logs for unauthorized usage
Need help?
Create a free account to access our support portal. Once signed in, use the Support tab in your dashboard to submit a support ticket — our team typically responds within 24 hours.
- ✨ For LLMs/AI assistants: Read our structured API reference