How to Generate and Manage API Keys Securely
API keys are the digital credentials that allow your custom software or third-party applications to communicate securely with the 4Geeks ecosystem. Whether you are automating payouts via 4Geeks Payments, syncing candidate data from 4Geeks Talent, or integrating medical records with 4Geeks Health, a secure API key is your starting point.
This guide provides a comprehensive walkthrough on how to generate, manage, and secure your API keys using the 4Geeks Console. By following these steps, you ensure that your integrations remain robust while keeping your organization’s data safe.
Prerequisites¶
Before you begin generating keys, ensure you meet the following requirements:
- Account Access: You must have an active account on the 4Geeks Console.
- User Permissions: You need “Admin” or “Developer” access rights. General users typically do not have permission to view or create API keys.
- Security Setup: It is highly recommended that you have Two-Factor Authentication (2FA) enabled on your account before performing high-security actions like key generation.
Step-by-Step Instructions¶
Follow these steps to create a new API key.
Step 1: Access the Developer Settings¶
- Log in to your 4Geeks Console.
- On the main navigation sidebar, locate and click on Settings.
- From the dropdown or settings menu, select API & Developers.
Step 2: Generate a New Key¶
- In the API Keys section, you will see a list of existing keys (if any). Click the + Generate New Key button.
- Name Your Key: Enter a descriptive name in the “Label” field.
- Tip: Use a naming convention that identifies the key’s purpose and the service using it (e.g.,
Zapier-Integration-PayrollorInternal-App-Health).
- Tip: Use a naming convention that identifies the key’s purpose and the service using it (e.g.,
- Set Expiration (Optional): For enhanced security, you can set an expiration date. If this key is for a temporary project, select a date; otherwise, leave it as “Never Expire.”
Step 3: Define Permissions (Scopes)¶
To adhere to the principle of least privilege, only grant the permissions necessary for the specific task.
- Review the list of available products (e.g., 4Geeks Asset, 4Geeks Perks).
- Toggle the specific Read or Write permissions required.
- Example: If the key is for a dashboard viewer, grant Read-Only access to 4Geeks Asset. Do not grant Write access to 4Geeks Payroll unless the integration explicitly requires modifying salary data.
- Click Create Key.
Step 4: Copy and Store Your Key¶
Crucial Step: Once the key is generated, a modal will display the full API Secret Key.
- Click the Copy icon to copy the string to your clipboard.
- Paste this key immediately into your secure vault, password manager, or environment variable file (
.env). - Note: For security reasons, 4Geeks will never show this full key again. If you lose it, you will have to generate a new one and update your integrations.
Common Use Cases¶
Understanding how to apply these keys can help streamline your operations across the 4Geeks suite.
Scenario 1: Automating Onboarding Workflows¶
Situation: Your HR team uses a custom internal portal and wants to trigger onboarding tasks automatically when a new hire is approved. Application: You generate an API key with “Write” access to 4Geeks Talent. When a candidate is marked as “Hired” in your internal system, the API key authenticates a request to 4Geeks Talent to initiate the onboarding sequence.
Scenario 2: syncing Inventory for E-Commerce¶
Situation: You utilize 4Geeks Asset for inventory tracking but use a third-party tool for front-end sales. Application: By creating a “Read-Only” API key for your sales platform, it can query 4Geeks Asset every 15 minutes to fetch real-time stock levels, ensuring you never oversell a product.
Troubleshooting¶
If your integrations are failing, check these common issues associated with API keys.
Issue 1: HTTP 401 Unauthorized Error¶
- Cause: The API key is missing, incorrect, or has been deleted.
- Solution: Check your application code to ensure the key is being passed correctly in the Header (usually
Authorization: Bearer YOUR_API_KEY). If the code is correct, verify in the 4Geeks Console that the key status is “Active.”
Issue 2: HTTP 403 Forbidden Error¶
- Cause: The key works, but it does not have permission to access the specific resource.
- Solution: You likely restricted the Scope during Step 3. For example, if you are trying to use 4Geeks AI Agents endpoints but only enabled permissions for 4Geeks Perks, the request will fail. Generate a new key with the correct scopes.
Issue 3: Key Compromise¶
- Cause: A developer accidentally committed the API key to a public GitHub repository.
- Solution: Treat this as a security emergency. Immediately log in to the console, find the compromised key, and click Revoke/Delete. Generate a new key and update your environment variables.
Best Practices for Security¶
- Rotate Keys: Change your API keys periodically (e.g., every 90 days) to reduce the risk of compromised credentials.
- Use Environment Variables: Never hard-code API keys directly into your application source code.
- Limit Scopes: Never generate a “Super Admin” key with access to everything unless absolutely necessary. If a key is only needed for 4Geeks Payroll, do not give it access to 4Geeks Health data.
Conclusion¶
Managing API keys securely is the foundation of a stable and safe technical infrastructure. By correctly configuring permissions and handling your credentials with care, you can unlock the full potential of automation within the 4Geeks ecosystem.
Ready to build your first integration? Visit the 4Geeks Console to get started.
Additional Resources¶
- Deep Dive: How to Generate and Manage API Keys Securely
- 4Geeks Developer Documentation
- Contact Support
- Still questions? Ask to the community.
- Check out the changelog.