Managing API Keys
API keys let external systems and scripts call the SuiteOp REST API on behalf of your organization. Each key carries its own set of permissions and acts as a machine member of your org — every request it makes is scoped to your data and recorded against the key. You manage keys yourself from Settings → API Keys, no developer access required.
Opening the API Keys page
Section titled “Opening the API Keys page”In the dashboard sidebar, go to Settings, then select API Keys from the settings navigation. The page lists your organization’s API keys with each one’s name, masked key prefix, creation date, last-used time, expiry, and current status.
By default the list shows active and expired keys; revoked keys are hidden. Tick Show revoked to include them too — useful for auditing which keys existed in the past.
Creating a key
Section titled “Creating a key”-
Click Create API Key
Use the + Create API Key button in the top-right of the page. A dialog opens.
-
Name the key
Enter a descriptive Name that identifies where the key is used — for example,
Zapier productionorNightly reporting script. The name is how you’ll recognize the key later, so make it specific. -
Choose an expiry
Pick when the key should stop working from the Expiry dropdown:
- Never — the key stays valid until you revoke it
- 30 days, 90 days, or 1 year — the key expires automatically after the chosen period
Setting an expiry is a good practice for keys handed to short-lived integrations or contractors.
-
Select permissions
Use the Permissions editor to choose exactly what the key can do. Permissions are shown as human-readable labels (for example View tasks, Manage reservations) and map to the API’s
resource:actionscopes. Search the list to find specific permissions, and select only the minimum the integration needs. A key must have at least one permission. -
Click Create
The key is generated and shown to you once.
After you close the reveal dialog, the new key appears in the list showing only its prefix (the first few characters), which is enough to identify it without exposing the secret.
Understanding key status
Section titled “Understanding key status”Each key in the list shows a status badge:
| Status | Meaning |
|---|---|
| Active | The key works and can make API requests. |
| Expired | The key passed its expiry date and no longer authenticates. It stays in the list for reference. |
| Revoked | The key was manually disabled and can never be used again. |
The Last used column shows when the key most recently made a request (or a dash if it has never been used) — a quick way to spot keys that are no longer in service and can be safely revoked.
Revoking a key
Section titled “Revoking a key”Revoking permanently disables a key. Do this as soon as a key is no longer needed, or immediately if you suspect it has been exposed.
-
Find the key
Locate the active key in the list.
-
Click Revoke
Select Revoke on the key’s row. A confirmation dialog appears naming the key.
-
Confirm
Confirm the action. The key stops working immediately for all requests, and its status changes to Revoked.
Best practices
Section titled “Best practices”- Scope minimally. Give each key only the permissions its integration actually uses.
- One key per integration. Separate keys make it easy to revoke a single integration without disrupting others, and the Last used column tells you which is which.
- Set an expiry for keys with a known end date.
- Never embed keys in client-side code. Treat them like passwords — keep them server-side and out of source control. See the Authentication guide for the full security checklist.