API Key

Create and manage tenant-scoped API keys to authenticate backend calls to The Wallet Crew APIs.

API keys authenticate server-to-server calls to The Wallet Crew APIs. API keys are tenant-scoped. A key only works for a single tenant. Integrations spanning multiple tenants require one key per tenant.

API keys can also be scope-restricted. Least privilege reduces risk and limits blast radius.

Real-world examples

A Brand CRM job updates loyalty points nightly, then triggers pass updates.
An integration middleware issues new passes after an e-commerce checkout event.
A data pipeline fetches pass installation status and sends it to analytics.

Before you start

An admin account with access to Settings is required.
The intended usage and owning system are identified (service, job, connector).
The minimum required scopes are listed. Each API endpoint documents its required scopes, and the admin console lists the available scopes at key creation time.

Never ship an API key in a mobile app or in front-end JavaScript. Treat it like a password.

Create an API key

Open API Keys

Sign in to the admin console.
Go to Settings → Security → API Keys.

The Wallet Crew - API Keys

Add a new key

Click Add new.
Set a clear name.
- Example: crm-sync-prod or nightly-pass-update.
Select the scopes you need.
Click Save.

Copy and store the key

The key value is only displayed once, right after creation. After the dialog is closed, the value cannot be retrieved.

The key should be stored in a secret manager. Read access should be limited to the smallest set of services and operators needed to run the integration.

Use the key in API requests

Send the key in the X-API-KEY header.

Example header:

X-API-KEY: <your_api_key>

The full endpoint list and request/response formats are available in the API reference.

Validate access quickly

Authentication and authorization failures look similar, but mean different fixes. A quick validation flow helps isolate the issue early.

Run a low-impact GET request that matches the selected scopes. A 401 Unauthorized response typically indicates a missing, invalid, or revoked key. A 403 Forbidden response typically indicates a valid key with insufficient scopes.

Manage, rotate, revoke

Rotate keys regularly.
- Create a new key.
- Deploy it to your services.
- Revoke the old key after a short overlap.
Revoke keys immediately if they leak.
Keep separate keys per environment and integration.

Troubleshooting

401 Unauthorized
- Missing or invalid X-API-KEY header.
- Key was revoked.
403 Forbidden
- Key is valid but missing required scope.

FAQ

Can one API key be used across multiple tenants?

No. API keys are tenant-scoped. Each tenant requires its own key, even when the same integration runs in multiple tenants.

Can an API key be retrieved later if it was not copied?

API keys are meant to be shown once at creation time. If the value is lost, the safest path is to revoke the old key and create a new one.

What is the best way to name API keys?

A name should identify the owning system and environment. Names like crm-sync-prod or data-export-staging make rotation and incident response much faster.

How to rotate keys without downtime?

Create a new key and deploy it first. Keep both keys active during a short overlap. Revoke the old key once logs confirm the new key is used everywhere.

Where is the scope reference?

Each API endpoint documents the required scopes in its own documentation.

The admin console remains the place where available scopes can be reviewed and selected when creating or editing a key.

Last updated 3 days ago

hashtagBefore you start

hashtagCreate an API key

hashtagOpen API Keys

hashtagAdd a new key

hashtagCopy and store the key

hashtagUse the key in API requests

hashtagValidate access quickly

hashtagManage, rotate, revoke

hashtagTroubleshooting

hashtagFAQ

Before you start

Create an API key

Open API Keys

Add a new key

Copy and store the key

Use the key in API requests

Validate access quickly

Manage, rotate, revoke

Troubleshooting

FAQ