Docs/Administration/API Keys

API Keys

API keys allow your organization to authenticate programmatic access to Pingd's Copilot API. They're used to connect external services — like the Pingd Slack bot — to your organization's data.

What API Keys Are For

When the Pingd AI agent receives a question from one of your team members via Slack, it needs to securely identify which organization the request belongs to. API keys provide that link: each key is scoped to a single organization and authenticates all Copilot API requests on behalf of that org.

Generating an API Key

  1. Navigate to Admin → API Keys in the dashboard
  2. Click Generate New Key
  3. Your new API key will be displayed once — copy it immediately
  4. The key will not be shown again after you leave this page
API keys follow this format: pingd- followed by a 32-character hex string. Important: Store your API key securely. Treat it like a password. If you lose it, you'll need to generate a new one.

How Authentication Works

Include your API key in the Authorization header of API requests:

Authorization: Bearer pingd-your-api-key-here

When Pingd receives a request:

  1. The key is hashed (SHA-256) and looked up in the database
  2. The matching organization is identified
  3. All data access is scoped to that organization's connections and policies
No data from other organizations is ever accessible, regardless of the request.

Per-Organization Scoping

Each API key is tied to exactly one organization. This means:

  • All queries through the key only access that organization's connected data sources
  • Data access policies for the organization are enforced on every request
  • Usage is tracked per key for auditing
An organization can have multiple active API keys (useful for different environments or services).

Key Management

Viewing Keys

The API Keys page shows all keys for your organization:

  • Key prefix — The first few characters for identification (e.g., pingd-a3f2...)
  • Created date
  • Last used — When the key was last used to make a request
  • Status — Active or revoked

Revoking a Key

If a key is compromised or no longer needed:

  1. Find the key in the API Keys list
  2. Click Revoke
  3. The key is immediately deactivated — any requests using it will be rejected
Revocation is instant and cannot be undone. You'll need to generate a new key if you revoke one by mistake.

Key Expiry

API keys can be configured with an expiration date. Once expired, the key stops working automatically. This is useful for temporary integrations or contractor access.

Who Can Manage API Keys

  • Owners and Admins can generate and revoke API keys
  • Members cannot access the API Keys page

Best Practices

  • One key per integration — Use separate keys for different services so you can revoke one without affecting others
  • Rotate keys periodically — Generate a new key and update your services, then revoke the old one
  • Never share keys in chat or email — Use a secrets manager or secure credential store
  • Monitor usage — Check the "Last used" timestamp to identify unused keys that should be revoked
Previous
Organization Settings
Next
Security & Compliance