Create, copy, rotate, and revoke a tenant API key
Create a workspace-owned API key by task, copy or securely download its secret the one time it is shown, then rotate or revoke it whenever the integration changes or retires.
Purpose
Give an approved integration or assistant a workspace-owned API key with the smallest permissions it needs, capture the secret safely the one time it is shown, and keep the key healthy by rotating or revoking it when things change.
Who this is for
Admins and developers setting up API or assistant access for an approved integration on their workspace.
Prerequisites
- An admin or developer role on the workspace.
- Agreement on which integration or assistant needs access and what it should be allowed to do.
- A secure place to store the secret, such as your integration's protected settings or a secrets manager.
- Time to finish the copy step in one sitting, because the secret is shown only once.
Steps
- Open the API and integrations area in Tenant Admin and start a new key.
- Choose the task-based preset that matches the integration, and review the access, risk level, and recommended expiry it shows; for a specialized integration, switch to custom advanced permissions and select only what it needs.
- Give the key a clear name, pick the production or test environment, and create the key.
- When the secret appears, copy it or use secure download, store it in your integration's protected settings, then tick the box confirming you saved it and choose Done.
- Confirm the key shows in your keys list with the right status, and check that the integration's first requests appear in its activity.
- Rotate a key on a regular cadence or whenever it may have leaked, and revoke any key for a retired or unused integration.
Expected result
The integration connects with a workspace-owned key limited to the permissions you chose. The secret was captured once and is no longer retrievable, the key appears in your list with its status and a masked reference, and you can rotate or revoke it at any time.
Verification
- The new key appears in your keys list with its name, environment, and an Active status.
- Inspecting the key shows the preset or permissions, environment, and a masked reference rather than the full secret.
- The integration's first requests show up in the key's recent activity.
- After you revoke a key, its status changes to Revoked and requests using it start failing.
If something goes wrong
- You closed the secret panel before saving the secret
- The secret cannot be shown again. Rotate the key to get a fresh secret, then copy and store it before choosing Done.
- Copy did not work in your browser
- Use the secure download option instead; the key name, environment, and secret are saved to a file you can move into your protected settings.
- The integration cannot connect
- Open the key's details and confirm its permissions and environment match what the integration needs; if they do not, create a replacement key with the right task or permissions.
- A key may have leaked or is no longer needed
- Rotate it to issue a new secret while the old one keeps working only briefly, or revoke it to stop all access immediately and permanently.
Permissions
Viewing keys is broad, but creating, rotating, and revoking them needs an admin or developer role. Every key you create is workspace-owned and scoped to the task you choose; it never grants platform administration and is always separate from platform credentials.
Related articles
Support
If an approved integration still cannot connect after you confirm its key and permissions, ask your workspace admin first. LumenReach support can help with connection requirements and key lifecycle questions without ever asking for or exposing the secret value or platform credentials.