API keys

API keys give external integrations programmatic access to your workspace's data without using a member's login. Admin-only. Each key carries an admin-readable label (what it's for) and tracks its creation date + last-used timestamp so you can spot stale keys.

Creating a key

1. Click Create key at the top of the page.
2. Enter a descriptive label — what's it for? Examples: "Zapier integration", "Internal reporting tool", "Mobile app".

3. Click Create. The key is shown once — copy it immediately. You won't see it again after closing the banner.
4. Paste the key into your integration. Zellbox accepts it as Authorization: Bearer <key> on every endpoint that accepts JWT auth.

Treat keys like passwords. Anyone with the key has the same data access as the workspace admin. Rotate immediately if a key leaks.

Rotating a key

There's no in-place rotation. To rotate:

1. Create a new key with the same purpose.
2. Update your integration with the new key.
3. Once you've confirmed the integration works, delete the old key from the list.

Deleting a key

1. Find the key in the list.
2. Click Delete on its row.
3. Confirm in the dialog. The key is revoked instantly — any in-flight requests using it will start failing with 401 on the next call.