# Creating Additional API Keys

Your ApexVerify account supports multiple API keys. Creating separate keys for different environments, services, or team members makes it easy to track usage, rotate credentials independently, and limit the blast radius if a key is compromised.

***

## Why use multiple keys?

<CardGroup cols={2}>
  <Card title="Environment isolation" icon="fa-regular fa-server">
    Use separate keys for `production`, `staging`, and `development` so a leaked dev key never affects your live data.
  </Card>

  <Card title="Per-service tracking" icon="fa-regular fa-chart-line">
    Assign one key per integration (CRM sync, bulk import job, browser extension) to pinpoint which service is consuming credits.
  </Card>

  <Card title="Team access control" icon="fa-regular fa-users">
    Give each team member or CI pipeline their own key. Revoking one key doesn't disrupt other integrations.
  </Card>

  <Card title="Zero-downtime rotation" icon="fa-regular fa-arrows-rotate">
    Generate a new key, update your config, verify the new key works, then revoke the old one — no downtime required.
  </Card>
</CardGroup>

***

## Creating a new key

<Steps>
  <Step title="Log in to the Dashboard">
    Go to [app.apexverify.com](https://app.apexverify.com) and sign in to your account.
  </Step>

  <Step title="Navigate to API Keys">
    Open **Settings** in the left sidebar, then click **API Keys**.

    You'll see a list of all active keys with their labels, creation dates, and last-used timestamps.
  </Step>

  <Step title="Generate a new key">
    Click **Generate New Key**. Enter a descriptive label — this is for your own reference and does not affect how the key works.

    Good labels: `production-api`, `staging-etl`, `ci-pipeline`, `dev-john`
  </Step>

  <Step title="Copy and store the key">
    The key is shown **only once**. Copy it immediately and store it in a secret manager (e.g. AWS Secrets Manager, HashiCorp Vault, GitHub Actions secrets, or a `.env` file outside of version control).

    Once you close the modal, the full key value is no longer retrievable from the dashboard.
  </Step>

  <Step title="Verify the new key">
    Test the key before relying on it:

    ```bash
    curl -X GET https://api.apexverify.com/v1/account/credits \
      -H "X-Api-Key: YOUR_NEW_API_KEY"
    ```

    Expected response:

    ```json
    {
      "email_credit": 1000.0,
      "phone_credit": 500.0
    }
    ```
  </Step>
</Steps>

***

## Key rotation best practices

<Note>
  **Recommended rotation schedule:** Rotate production API keys every **90 days**, or immediately after any suspected exposure. For long-running background jobs, consider rotating on each deployment cycle.
</Note>

A safe rotation sequence:

1. Generate the **new key** in the dashboard
2. Deploy the new key to your production environment (update secret manager / env var)
3. Monitor the new key for a short period to confirm it's working
4. **Revoke the old key** once traffic has fully migrated

Never revoke the old key before the new key is confirmed live — this causes downtime.

***

## Revoking a key

To revoke a key:

1. Go to **Settings → API Keys** in the Dashboard
2. Locate the key by its label
3. Click **Revoke** and confirm

<Warning>
  **Revocation is immediate and irreversible.** Any in-flight requests using the revoked key will fail with `401 Unauthorized`. Make sure no active integrations depend on the key before revoking. Running batch jobs are not interrupted, but any new requests using that key will be rejected.
</Warning>