Service API Keys

Service API Keys are platform-level credentials for service-to-service authentication. They are separate from tenant API keys and are intended for trusted backend services or integrations that need direct API access without a user session. System administrators generate, rotate, and revoke these keys from the system admin portal.

Accessing the Page

• Route: /service-api-keys
• Menu Path: Settings → System → Service API Keys
• Primary audience: System administrators only. These pages are accessed via the system admin login at system.portal.net — not the tenant portal.

What you can do here

• View all service API keys with their service name, status (Active, Revoked, Expired), creation date, expiration date, and last-used timestamp.
• Generate a new API key and copy the one-time secret before it is masked.
• Revoke a key to immediately block any service using it.
• Filter keys by status (Active / Revoked / Expired) and expiration state (Valid / Expired / Expiring Soon).
• Search keys by service name or description.

Common tasks

1. Open Settings → System → Service API Keys at system.portal.net.
2. Click Generate New API Key to open the generation form.
3. Enter the service name and an optional description and expiration date.
4. Click Generate — a modal displays the key secret. Copy it immediately; it will not be shown again.
5. Store the secret in your deployment vault or secret manager.
6. Pass the key in the Authorization header of service-to-service API requests.

Notes

• The secret is shown only once, immediately after generation. If it is lost, revoke the key and generate a replacement.
• Revoking a key is permanent and immediate — the service loses access the moment the revocation is confirmed.
• An expired key is automatically treated as inactive. Its status badge changes to Expired and the service can no longer authenticate.
• Use clear, descriptive service names (e.g., inventory-service, erp-sync) to identify keys when auditing or revoking.
• Store secrets in an approved secrets vault. Never commit secrets to source control or configuration files.

Generating a Service API Key

Click Generate New API Key in the page header. A full-page form opens where you configure the key before generating the secret.

Fields

Field	Required	Type	Description	Default	Validation
Service Name	Yes	Text	Unique identifier for the service that will use this key (e.g., inventory-service)	—	Required; used as the key’s display name in the list
Description	No	Textarea	Optional notes about the key’s purpose and usage	—	Max 1000 characters
Expiration Date	No	Date	Date after which the key stops working. Leave empty for a key that never expires	—	Must be a future date

Steps:

1. Click Generate New API Key in the page header.
2. Enter a descriptive Service Name that identifies the consuming service.
3. Optionally add a Description explaining the key’s purpose.
4. Optionally set an Expiration Date to limit the key’s lifetime.
5. Click Generate. A modal immediately shows the generated secret.
6. Click the copy icon to copy the secret to the clipboard. Store it securely — it will not be shown again.
7. Click Close to dismiss the modal and return to the key list.

Revoking a Service API Key

Revoking permanently deactivates a key. Any service using the key loses access immediately.

1. Open row actions (three-dot menu) on an active key row.
2. Select Revoke Key.
3. Read the confirmation: “Are you sure you want to revoke the API key for [service name]? This action cannot be undone and the service will no longer be able to authenticate.”
4. Click Revoke Key to confirm — the key status changes to Revoked in the list.

Note: Revoked keys cannot be re-activated. Generate a new key and update the consuming service’s configuration to restore access.

Related Pages

• API Keys — tenant-scoped API keys managed under Data & Monitoring settings
• Tenant Management — tenant organizations that service API keys may interact with