Generate an API key for your certifier
A step-by-step guide to issue a scoped API token so an external certifier can access your evidence files securely.
What is an integration API key?
An integration is a scoped API token that lets an external service — such as the certifier auditing your compliance — access your organization's evidence files without using a personal login. You decide exactly what each token can do and how long it lasts.
Scoped access
Each key only grants the permissions you select — nothing more.
Time-limited
Set an expiration so access ends automatically when the audit is over.
Revocable
Disable a key at any time to cut off access immediately.
Who is this for?
This guide is for organization administrators who need to give a certifier or external auditor programmatic access to their evidence files.
Before you start
Two-factor authentication (2FA) is enabled on your account. It is required to create an API key — see the section below to set it up.
You are an administrator of the organization, or a member with the Create integration permission.
Your encryption keys are unlocked — only needed if the certifier must decrypt files (files:decrypt scope).
A secure channel to hand the credentials over to the certifier, such as a password manager or secrets vault.
Clarity on which scopes the certifier needs, so you can grant the least privilege required.
Enable 2FA before creating a key
Issuing an API key is a sensitive action, so the platform requires two-factor authentication (2FA) on your account and asks you to confirm a code each time you create a key. If you don't have 2FA yet, set it up once with the steps below.
2FA is mandatory to create an API key
Without 2FA enabled, the Create integration action is blocked. Enable it once on your account and you're ready to issue keys.
- 1
Open your profile security settings
Go to your profile and open the Security tab, then click Enable 2FA.
- 2
Confirm your password
Enter your current account password to authorize turning on two-factor authentication.
- 3
Add the account to your authenticator app
Scan the QR code with an authenticator app (Google Authenticator, Authy, 1Password, Microsoft Authenticator, …), or type the shown secret into the app manually.
- 4
Save your backup codes
Store the one-time backup codes somewhere safe. They let you sign in if you ever lose access to your authenticator app.
- 5
Confirm the 6-digit code
Enter the current 6-digit code from your authenticator app to finish enabling 2FA. Your account is now protected.
What happens next
From then on, whenever you create or rotate an API key, a Verify your identity prompt appears — just enter the current 6-digit code from your authenticator app to authorize the action.
Generating the API key
- 1
Open your organization settings
In the platform, go to your organization's settings and open the Integrations tab. This is where every API key issued for your organization is listed.

Organization settings with the Integrations tab selected, showing the list of existing integrations. - 2
Start a new integration
Click the Create integration button in the top-right corner. You need the Create integration permission — organization administrators have it by default.

The Create integration button highlighted in the top-right corner of the Integrations tab. - 3
Optional: use the certifier preset
At the top of the dialog, the Quick setup box offers a one-click preset. Click Use certifier preset to set up a certifier that can read, download and review — without decryption — in a single step. You can still adjust anything afterwards, or skip the preset and configure the options manually.

The Quick setup box with the Use certifier preset button at the top of the dialog. - 4
Name the integration
Give the integration a name that identifies the certifier, such as the auditing firm's name (for example, "Certifier ACME"). This label helps admins recognize the key later.

The Create integration dialog with the Name field filled in and the Quick setup preset at the top. - 5
Set the access token expiration
Under Access token expiration, choose how long the access token stays valid. We recommend 90 days so a leaked token has a limited lifetime. You can also pick a custom date (up to 180 days) or, only when strictly necessary, choose that it never expires.

The Access token expiration options in the Create integration dialog. - 6
Choose the permissions
Under Permissions, choose what the integration can do: Read files lists files and reads their details, Download files downloads file contents, Review evidence lets it take part in certification reviews, and Decrypt files lets it open your organization's encrypted files. We recommend keeping Read files, Download files and Review evidence enabled, and leaving Decrypt files off unless the certifier truly needs to read decrypted files.

The Permissions section with Read files, Download files and Review evidence enabled and Decrypt files left off. - 7
Set the decryption access expiration (optional)
Only needed when you enable Decrypt files. Unlock your encryption keys first so the platform can wrap your organization key for the integration. Then set the Decryption access expiration — 365 days is recommended, up to a maximum of 730 days.

The Decryption access expiration options shown after enabling Decrypt files. - 8
Create and copy the credentials
Click Create and confirm the 6-digit code in the Verify your identity prompt. The platform then shows the Bearer token — and, if you granted files:decrypt, the integration private key. These credentials are displayed only once and cannot be recovered, so copy them and store them in a secure vault immediately.

The credentials dialog showing the Bearer token with the one-time warning banner. - 9
Deliver the credentials to the certifier securely
Share the token with the certifier through a secure channel (never plain email). The certifier authenticates each request by sending it in the Authorization: Bearer header, as shown in the Using the token section.

The new integration now appearing as active in the integrations list.
Credentials are shown only once
The Bearer token and private key are never stored in a recoverable form. If you lose them, you must delete the integration and create a new one.
Understanding the access scopes
Scopes define what the certifier can do with the token. Grant only what the audit requires.
files:read
List files and read their metadata.
files:download
Generate presigned URLs to download files.
files:decrypt
Decrypt files. This generates a dedicated keypair for the integration and wraps your organization key so the certifier can read encrypted content.
review
Read and post certification chat messages, start reviews, approve, and request changes on evidences.
Using the token
The certifier authenticates every request by sending the token in the Authorization header:
Authorization: Bearer <your-token>Security best practices
Prefer short expirations
A token that expires bounds the damage if it ever leaks. Avoid never-expires tokens unless a certifier truly requires uninterrupted access.
Grant the least privilege
Only enable the scopes the certifier needs for the current audit. You can create a new, narrower integration instead of over-granting an existing one.
Rotate periodically
Rotate the token from the integrations list to issue a fresh secret and invalidate the old one — useful at the end of each audit cycle.
Revoke when finished
When the audit is over or a key may be compromised, disable the integration immediately. Access stops the moment it is revoked.
Frequently Asked Questions
Organization administrators, and any member granted the Create integration permission. If you don't see the Create integration button, ask an administrator to grant you the permission or to create the key for you.
Issuing an API key is a sensitive action, so the platform requires 2FA on your account and asks you to confirm a code each time you create or rotate a key. If you don't have 2FA yet, enable it under Profile → Security (see the Two-factor authentication section above). Without it, the Create integration action is blocked.
No. The Bearer token and the private key are shown only once, at creation time, and are never stored in a recoverable form. If you lose them, delete the integration and create a new one.
Only if they must read the decrypted contents of your files. If reading metadata and downloading the (still encrypted) files is enough, grant just files:read and files:download. The files:decrypt scope generates a dedicated keypair and requires you to unlock your encryption keys during creation.
Requests made with an expired token are rejected. To restore access, rotate the token from the integrations list or create a new integration. Choosing a shorter expiration limits the impact if a token is ever leaked.
Open the Integrations tab, find the integration, and disable it. Access is cut off immediately. Do this as soon as an audit ends or if you suspect a credential was exposed.
Use a secure channel such as a shared password manager or a secrets vault — never plain email or chat. The certifier then sends the token in the Authorization: Bearer header on every request.
Need More Information?
If you have questions about issuing API keys, scopes, or connecting a certifier to your organization, please contact us.
Email Support
Contact your administrator or our support team
Documentation
Check our technical documentation for more details