API & Integrations

API keys and programmatic access

Scoped keys with per-hour rate limits. Separate from the Integrations connectors.

Last updated 2026-05-29

In the app

Who this is for

Developers automating audits, sites, leads, or reports over HTTPS. Not for operators pasting Slack webhooks; for those use Integrations (Slack, Discord, PlusVibe, and webhooks).

When to use this page

Use API Keys when you need REST credentials for CI, a third-party service, or a scripted backfill. Use Integrations when you need a chat alert, a Zapier or Make.com webhook, or the PlusVibe credentials block.

Before you start

Confirm your plan includes API access. Free plans may be blocked server-side; check Billing and Pricing for the entitlement.
Decide which scopes the integration actually needs so you can pick a minimal set.

In the app

API Keys is the page heading with the Key icon and subtitle "Manage programmatic access to the API".

Create a key

New Key toggles the Create New API Key form.
Name is a required label (placeholder "e.g. CI/CD Pipeline").
Rate Limit (req/hour) is numeric; the form defaults to 100.
Expires In (days, optional). Leave blank for no expiry (placeholder "Never").
Scopes are toggled: audits:read, audits:write, sites:read, sites:write, leads:read, leads:write, reports:read. Defaults are often audits:read and sites:read.

Submitting the form creates the key. A banner appears: "API key created! Copy it now; it won't be shown again." with Copy and Dismiss.

Manage keys

Rows support activate and deactivate toggles, plus Delete (with a confirm prompt: "Delete API key <name>? This cannot be undone.").

Common pitfalls

UI element	Meaning
Red banner with Dismiss	`localError` from `createApiKey` (fallback text "Failed to create key").
Red banner with Retry	React Query load failure (`fetchErrorMessage`). Refetches the list.
Loading API keys...	Initial query in flight.

Free plans may be blocked server-side. Confirm Billing and Pricing for the API entitlement.

Authentication

Send the key as documented in Docs and OpenAPI (X-API-Key header or a query parameter, per the deployment).

Outbound platform webhooks

Subscriptions under Integrations > Zapier / Make.com deliver JSON for audit lifecycle events. They do not replace API keys for inbound REST calls.

In the app

API Keys is the page heading with the Key icon and subtitle "Manage programmatic access to the API".

Create a key

New Key toggles the Create New API Key form.

Name is a required label (placeholder "e.g. CI/CD Pipeline").

Rate Limit (req/hour) is numeric; the form defaults to 100.

Expires In (days, optional). Leave blank for no expiry (placeholder "Never").

Scopes are toggled: audits:read, audits:write, sites:read, sites:write, leads:read, leads:write, reports:read. Defaults are often audits:read and sites:read.

Submitting the form creates the key. A banner appears: "API key created! Copy it now; it won't be shown again." with Copy and Dismiss.

Manage keys

Rows support activate and deactivate toggles, plus Delete (with a confirm prompt: "Delete API key <name>? This cannot be undone.").

Common pitfalls

UI element

Meaning

Red banner with Dismiss

localError from createApiKey (fallback text "Failed to create key").

Red banner with Retry

React Query load failure (fetchErrorMessage). Refetches the list.

Loading API keys...

Initial query in flight.

Free plans may be blocked server-side. Confirm Billing and Pricing for the API entitlement.

In the app

Who this is for

When to use this page

Before you start

In the app

Create a key

Manage keys

Common pitfalls

Authentication

Outbound platform webhooks

Related

In the app

Who this is for

When to use this page

Before you start

In the app

Create a key

Manage keys

Common pitfalls

Authentication

Outbound platform webhooks

Related