ImportOpsHelp

Managing API keys

Create, scope, and revoke API keys so other tools can read and write your ImportOps data.

Updated Apr 19, 2026

API keys let other tools access your organisation's data in ImportOps without a team member having to sign in. You create a key, choose what it can do, use it from your integration, and revoke it when you're done.

Before you start

  • You need to be an admin.
  • Your plan needs API access included. See What's included on Core vs Pro.
  • You're on SettingsAPI keys.

Creating a key

  1. Type a name that describes where the key will be used (for example, "Website inventory sync" or "Reporting script").
  2. Pick an expiry: 3 months, 6 months, 1 year, or a custom date. Short expiries are safer.
  3. Click Create key.
  4. Copy the key token shown in the confirmation panel.

The full key token is only shown once, at the moment you create it. There is no way to see it again. If you lose it, revoke the key and create a new one.

Store the key securely, wherever your integration keeps secrets. Don't paste it into chat, email, or a shared document.

Scopes

Keys are scoped so they can only do what they need to do. The default scope is vehicles.read, which lets the key read vehicle records but not modify anything. If your integration needs write access, contact support for a scoped key; the team will guide you on the right scope for your use case.

What's shown for each key

Once created, each key shows:

  • Name: the label you chose.
  • Key prefix: the first few characters of the key, safe to display and useful for identifying a key in logs.
  • Scopes: what the key can do.
  • Expiry date: when the key stops working.
  • Last used: the most recent time the key authenticated a request.
  • Created: the date the key was issued.

Revoked keys stay in the list with a Revoked label so you have a history.

Revoking a key

Click Revoke next to the key. The action is immediate: any request using that key after revocation will be rejected.

Revoke a key when:

  • The integration it belongs to is decommissioned.
  • The key may have been exposed (pasted in public, stored insecurely, shared by accident).
  • The team member who created it has left the organisation.

Good practice

  • One key per integration. Don't share a key across tools; if one leaks, you can revoke it without breaking the others.
  • Use the shortest expiry that fits the job. A key that expires in 3 months forces a rotation habit.
  • Rotate when you change team members. If the person who set up the integration leaves, create a fresh key and revoke the old one.
  • Read the audit log. Key creation and revocation show up in the audit log with the admin's name. See The audit log.
Was this helpful?

Related articles

The Settings area
A tour of the Settings sidebar, what each group contains, and who can see what.
The audit log
What the audit log records, how to filter it, and when to use it.