Create, copy, rotate, and revoke a tenant API key

Create a workspace-owned API key by task, copy or securely download its secret the one time it is shown, then rotate or revoke it whenever the integration changes or retires.

Purpose

Give an approved integration or assistant a workspace-owned API key with the smallest permissions it needs, capture the secret safely the one time it is shown, and keep the key healthy by rotating or revoking it when things change.

Who this is for

Admins and developers setting up API or assistant access for an approved integration on their workspace.

Prerequisites

Steps

  1. Open the API and integrations area in Tenant Admin and start a new key.
  2. Choose the task-based preset that matches the integration, and review the access, risk level, and recommended expiry it shows; for a specialized integration, switch to custom advanced permissions and select only what it needs.
  3. Give the key a clear name, pick the production or test environment, and create the key.
  4. When the secret appears, copy it or use secure download, store it in your integration's protected settings, then tick the box confirming you saved it and choose Done.
  5. Confirm the key shows in your keys list with the right status, and check that the integration's first requests appear in its activity.
  6. Rotate a key on a regular cadence or whenever it may have leaked, and revoke any key for a retired or unused integration.

Expected result

The integration connects with a workspace-owned key limited to the permissions you chose. The secret was captured once and is no longer retrievable, the key appears in your list with its status and a masked reference, and you can rotate or revoke it at any time.

Verification

If something goes wrong

You closed the secret panel before saving the secret
The secret cannot be shown again. Rotate the key to get a fresh secret, then copy and store it before choosing Done.
Copy did not work in your browser
Use the secure download option instead; the key name, environment, and secret are saved to a file you can move into your protected settings.
The integration cannot connect
Open the key's details and confirm its permissions and environment match what the integration needs; if they do not, create a replacement key with the right task or permissions.
A key may have leaked or is no longer needed
Rotate it to issue a new secret while the old one keeps working only briefly, or revoke it to stop all access immediately and permanently.

Permissions

Viewing keys is broad, but creating, rotating, and revoking them needs an admin or developer role. Every key you create is workspace-owned and scoped to the task you choose; it never grants platform administration and is always separate from platform credentials.

Related articles

Support

If an approved integration still cannot connect after you confirm its key and permissions, ask your workspace admin first. LumenReach support can help with connection requirements and key lifecycle questions without ever asking for or exposing the secret value or platform credentials.