Integrations

Generate an API key for your certifier

A step-by-step guide to issue a scoped API token so an external certifier can access your evidence files securely.

Overview

What is an integration API key?

An integration is a scoped API token that lets an external service — such as the certifier auditing your compliance — access your organization's evidence files without using a personal login. You decide exactly what each token can do and how long it lasts.

Scoped access

Each key only grants the permissions you select — nothing more.

Time-limited

Set an expiration so access ends automatically when the audit is over.

Revocable

Disable a key at any time to cut off access immediately.

Who is this for?

This guide is for organization administrators who need to give a certifier or external auditor programmatic access to their evidence files.

Requirements

Before you start

Two-factor authentication (2FA) is enabled on your account. It is required to create an API key — see the section below to set it up.

You are an administrator of the organization, or a member with the Create integration permission.

Your encryption keys are unlocked — only needed if the certifier must decrypt files (files:decrypt scope).

A secure channel to hand the credentials over to the certifier, such as a password manager or secrets vault.

Clarity on which scopes the certifier needs, so you can grant the least privilege required.

Two-factor authentication

Enable 2FA before creating a key

Issuing an API key is a sensitive action, so the platform requires two-factor authentication (2FA) on your account and asks you to confirm a code each time you create a key. If you don't have 2FA yet, set it up once with the steps below.

2FA is mandatory to create an API key

Without 2FA enabled, the Create integration action is blocked. Enable it once on your account and you're ready to issue keys.

  1. 1

    Open your profile security settings

    Go to your profile and open the Security tab, then click Enable 2FA.

  2. 2

    Confirm your password

    Enter your current account password to authorize turning on two-factor authentication.

  3. 3

    Add the account to your authenticator app

    Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password, Microsoft Authenticator, …), or type the shown secret into the app manually.

  4. 4

    Save your backup codes

    Store the one-time backup codes somewhere safe. They let you sign in if you ever lose access to your authenticator app.

  5. 5

    Confirm the 6-digit code

    Enter the current 6-digit code from your authenticator app to finish enabling 2FA. Your account is now protected.

What happens next

From then on, whenever you create or rotate an API key, a Verify your identity prompt appears — just enter the current 6-digit code from your authenticator app to authorize the action.

Read the full 2FA setup guide
Step by step

Generating the API key

  1. 1

    Open your organization settings

    In the platform, go to your organization's settings and open the Integrations tab. This is where every API key issued for your organization is listed.

    Open your organization settings
    Organization settings with the Integrations tab selected, showing the list of existing integrations.
  2. 2

    Start a new integration

    Click the Create integration button in the top-right corner. You need the Create integration permission — organization administrators have it by default.

    Start a new integration
    The Create integration button highlighted in the top-right corner of the Integrations tab.
  3. 3

    Optional: use the certifier preset

    At the top of the dialog, the Quick setup box offers a one-click preset. Click Use certifier preset to set up a certifier that can read, download and review — without decryption — in a single step. You can still adjust anything afterwards, or skip the preset and configure the options manually.

    Optional: use the certifier preset
    The Quick setup box with the Use certifier preset button at the top of the dialog.
  4. 4

    Name the integration

    Give the integration a name that identifies the certifier, such as the auditing firm's name (for example, "Certifier ACME"). This label helps admins recognize the key later.

    Name the integration
    The Create integration dialog with the Name field filled in and the Quick setup preset at the top.
  5. 5

    Set the access token expiration

    Under Access token expiration, choose how long the access token stays valid. We recommend 90 days so a leaked token has a limited lifetime. You can also pick a custom date (up to 180 days) or, only when strictly necessary, choose that it never expires.

    Set the access token expiration
    The Access token expiration options in the Create integration dialog.
  6. 6

    Choose the permissions

    Under Permissions, choose what the integration can do: Read files lists files and reads their details, Download files downloads file contents, Review evidence lets it take part in certification reviews, and Decrypt files lets it open your organization's encrypted files. We recommend keeping Read files, Download files and Review evidence enabled, and leaving Decrypt files off unless the certifier truly needs to read decrypted files.

    Choose the permissions
    The Permissions section with Read files, Download files and Review evidence enabled and Decrypt files left off.
  7. 7

    Set the decryption access expiration (optional)

    Only needed when you enable Decrypt files. Unlock your encryption keys first so the platform can wrap your organization key for the integration. Then set the Decryption access expiration — 365 days is recommended, up to a maximum of 730 days.

    Set the decryption access expiration (optional)
    The Decryption access expiration options shown after enabling Decrypt files.
  8. 8

    Create and copy the credentials

    Click Create and confirm the 6-digit code in the Verify your identity prompt. The platform then shows the Bearer token — and, if you granted files:decrypt, the integration private key. These credentials are displayed only once and cannot be recovered, so copy them and store them in a secure vault immediately.

    Create and copy the credentials
    The credentials dialog showing the Bearer token with the one-time warning banner.
  9. 9

    Deliver the credentials to the certifier securely

    Share the token with the certifier through a secure channel (never plain email). The certifier authenticates each request by sending it in the Authorization: Bearer header, as shown in the Using the token section.

    Deliver the credentials to the certifier securely
    The new integration now appearing as active in the integrations list.

Credentials are shown only once

The Bearer token and private key are never stored in a recoverable form. If you lose them, you must delete the integration and create a new one.

Scopes

Understanding the access scopes

Scopes define what the certifier can do with the token. Grant only what the audit requires.

files:read

List files and read their metadata.

files:download

Generate presigned URLs to download files.

files:decrypt

Decrypt files. This generates a dedicated keypair for the integration and wraps your organization key so the certifier can read encrypted content.

review

Read and post certification chat messages, start reviews, approve, and request changes on evidences.

Using the token

The certifier authenticates every request by sending the token in the Authorization header:

Authorization: Bearer <your-token>
Security

Security best practices

Prefer short expirations

A token that expires bounds the damage if it ever leaks. Avoid never-expires tokens unless a certifier truly requires uninterrupted access.

Grant the least privilege

Only enable the scopes the certifier needs for the current audit. You can create a new, narrower integration instead of over-granting an existing one.

Rotate periodically

Rotate the token from the integrations list to issue a fresh secret and invalidate the old one — useful at the end of each audit cycle.

Revoke when finished

When the audit is over or a key may be compromised, disable the integration immediately. Access stops the moment it is revoked.

FAQ

Frequently Asked Questions

Organization administrators, and any member granted the Create integration permission. If you don't see the Create integration button, ask an administrator to grant you the permission or to create the key for you.

Issuing an API key is a sensitive action, so the platform requires 2FA on your account and asks you to confirm a code each time you create or rotate a key. If you don't have 2FA yet, enable it under Profile → Security (see the Two-factor authentication section above). Without it, the Create integration action is blocked.

No. The Bearer token and the private key are shown only once, at creation time, and are never stored in a recoverable form. If you lose them, delete the integration and create a new one.

Only if they must read the decrypted contents of your files. If reading metadata and downloading the (still encrypted) files is enough, grant just files:read and files:download. The files:decrypt scope generates a dedicated keypair and requires you to unlock your encryption keys during creation.

Requests made with an expired token are rejected. To restore access, rotate the token from the integrations list or create a new integration. Choosing a shorter expiration limits the impact if a token is ever leaked.

Open the Integrations tab, find the integration, and disable it. Access is cut off immediately. Do this as soon as an audit ends or if you suspect a credential was exposed.

Use a secure channel such as a shared password manager or a secrets vault — never plain email or chat. The certifier then sends the token in the Authorization: Bearer header on every request.

Need More Information?

If you have questions about issuing API keys, scopes, or connecting a certifier to your organization, please contact us.

Email Support

Contact your administrator or our support team

Documentation

Check our technical documentation for more details