Open Settings > Developer in the Stravax Engage app and create a new API key. The full key is shown to you exactly once at creation; after that, Stravax Engage stores only a hash of it, so if you lose it you revoke it and mint a replacement rather than retrieving the original.
In Settings > Developer, start a new key, give it a scope (the actions it is allowed to perform), and generate it. Copy the full key immediately: the reveal screen is your only chance to see it in plain text. From then on, Stravax Engage keeps only a one-way hash of the key on file, so support cannot retrieve a lost key for you either.
Each key is scoped to specific actions rather than granted blanket access to your account. For example, a key needs the messages:send scope to send messages through the API; calling an endpoint the key isn't scoped for returns a 403 insufficient_scope error instead of quietly failing or succeeding.
The key itself determines the organization, never the request body. You never pass an organization id in a call: Stravax Engage resolves it from the key you authenticated with. This is also what keeps tenants isolated from each other, a request authenticated with one organization's key cannot read or write another organization's data.
Revoke it from Settings > Developer. Revocation takes effect immediately, the next request made with that key is rejected rather than waiting for a cache or token to expire. Generate a new key afterward.
Yes, two kinds. Requests are rate-limited per key, so a sudden burst is throttled rather than allowed to hit your systems at full speed. Separately, your plan includes a monthly request ceiling, once you reach it further requests are refused until the next month or until you upgrade. See current plans for the actual numbers on your plan.
| Response | Meaning |
|---|---|
| 200 | The request succeeded. |
| 401 unauthorized | The key is missing, unrecognized, or has been revoked. |
| 403 insufficient_scope | The key doesn't carry the scope the endpoint requires. |
| 429 rate_limited | Too many requests in a short window; back off and retry. |
| 429 quota_exceeded | The monthly request ceiling for your plan has been reached. |
Only organization admins can create, view, or revoke API keys. A non-admin team member calling the key management endpoints gets a 403.
Related: Outbound webhooks, REST API v1 overview.