Docs / Developers / API keys

API keys

Last updated: 16 July 2026

Open Settings > Developer in the Stravax Engage app and create a new API key. The full key is shown to you exactly once at creation; after that, Stravax Engage stores only a hash of it, so if you lose it you revoke it and mint a replacement rather than retrieving the original.

How do I create a Stravax Engage API key?

In Settings > Developer, start a new key, give it a scope (the actions it is allowed to perform), and generate it. Copy the full key immediately: the reveal screen is your only chance to see it in plain text. From then on, Stravax Engage keeps only a one-way hash of the key on file, so support cannot retrieve a lost key for you either.

What can a key do?

Each key is scoped to specific actions rather than granted blanket access to your account. For example, a key needs the messages:send scope to send messages through the API; calling an endpoint the key isn't scoped for returns a 403 insufficient_scope error instead of quietly failing or succeeding.

How does Stravax Engage know which organization a request belongs to?

The key itself determines the organization, never the request body. You never pass an organization id in a call: Stravax Engage resolves it from the key you authenticated with. This is also what keeps tenants isolated from each other, a request authenticated with one organization's key cannot read or write another organization's data.

What do I do if a key is compromised?

Revoke it from Settings > Developer. Revocation takes effect immediately, the next request made with that key is rejected rather than waiting for a cache or token to expire. Generate a new key afterward.

Are there limits on API usage?

Yes, two kinds. Requests are rate-limited per key, so a sudden burst is throttled rather than allowed to hit your systems at full speed. Separately, your plan includes a monthly request ceiling, once you reach it further requests are refused until the next month or until you upgrade. See current plans for the actual numbers on your plan.

Common response codes

Response Meaning
200 The request succeeded.
401 unauthorized The key is missing, unrecognized, or has been revoked.
403 insufficient_scope The key doesn't carry the scope the endpoint requires.
429 rate_limited Too many requests in a short window; back off and retry.
429 quota_exceeded The monthly request ceiling for your plan has been reached.

Who can manage API keys?

Only organization admins can create, view, or revoke API keys. A non-admin team member calling the key management endpoints gets a 403.

Related: Outbound webhooks, REST API v1 overview.

More in Developers