Tutorials

Creating Additional API Keys

View as Markdown

Your ApexVerify account supports multiple API keys. Creating separate keys for different environments, services, or team members makes it easy to track usage, rotate credentials independently, and limit the blast radius if a key is compromised.

Why use multiple keys?

Environment isolation

Use separate keys for production, staging, and development so a leaked dev key never affects your live data.

Per-service tracking

Assign one key per integration (CRM sync, bulk import job, browser extension) to pinpoint which service is consuming credits.

Team access control

Give each team member or CI pipeline their own key. Revoking one key doesn’t disrupt other integrations.

Zero-downtime rotation

Generate a new key, update your config, verify the new key works, then revoke the old one — no downtime required.

Creating a new key

1

Log in to the Dashboard

Go to app.apexverify.com and sign in to your account.

3

Generate a new key

Click Generate New Key. Enter a descriptive label — this is for your own reference and does not affect how the key works.

Good labels: production-api, staging-etl, ci-pipeline, dev-john

4

Copy and store the key

The key is shown only once. Copy it immediately and store it in a secret manager (e.g. AWS Secrets Manager, HashiCorp Vault, GitHub Actions secrets, or a .env file outside of version control).

Once you close the modal, the full key value is no longer retrievable from the dashboard.

5

Verify the new key

Test the key before relying on it:

$curl -X GET https://api.apexverify.com/v1/account/credits \
>  -H "X-Api-Key: YOUR_NEW_API_KEY"

Expected response:

1{
2  "email_credit": 1000.0,
3  "phone_credit": 500.0
4}

Key rotation best practices

Recommended rotation schedule: Rotate production API keys every 90 days, or immediately after any suspected exposure. For long-running background jobs, consider rotating on each deployment cycle.

A safe rotation sequence:

  1. Generate the new key in the dashboard
  2. Deploy the new key to your production environment (update secret manager / env var)
  3. Monitor the new key for a short period to confirm it’s working
  4. Revoke the old key once traffic has fully migrated

Never revoke the old key before the new key is confirmed live — this causes downtime.

Revoking a key

To revoke a key:

  1. Go to Settings → API Keys in the Dashboard
  2. Locate the key by its label
  3. Click Revoke and confirm

Revocation is immediate and irreversible. Any in-flight requests using the revoked key will fail with 401 Unauthorized. Make sure no active integrations depend on the key before revoking. Running batch jobs are not interrupted, but any new requests using that key will be rejected.