Create an API key with scoped permissions (read, write, admin) and an optional expiration date.

Copy the key immediately after creation. For security, the full key is only shown once.

Set up webhook endpoints to receive real-time notifications when events occur (user created, assessment completed, etc.).

Test your webhook endpoint with a sample payload to verify it receives and processes events correctly.

API keys: Bearer tokens for authenticating REST API calls. Each key has scoped permissions and can be revoked independently.

Webhooks: HTTP callbacks that push event data to your endpoints in real-time. Events include user changes, assessment completions, license updates, and more.

SDK keys: Special keys for mobile SDK integrations (iOS and Android). These include platform-specific settings like bundle ID and activation limits.

Rate limiting: API calls are rate-limited per key. Current limits are shown in the API response headers.

Can I rotate an API key? You cannot rotate an existing key. Create a new key, update your integration, then revoke the old one.

What happens when a webhook delivery fails? Failed deliveries are retried with exponential backoff. After repeated failures, the webhook is automatically disabled.

How many API keys can I create? There is no hard limit, but we recommend creating separate keys for each integration for better security and auditability.

Are API calls logged in the audit trail? Yes, API key usage and webhook deliveries are tracked and viewable in the audit log.