API Keys
API keys authenticate requests to the ConsentForge management API. They are different from embed tokens — keep them secret and use them only from your backend.
Creating an API key
Account → API Keys → Create Key
- Enter a descriptive name (e.g. "Backend sync — production")
- Select the scopes your integration needs (minimum necessary)
- Set an expiry date (optional but recommended)
- Click Create
Copy the key immediately — it is shown only once.
Available scopes
| Scope | Access |
|---|---|
properties:read | List and view properties |
properties:write | Create and update properties |
policies:read | View policies and versions |
policies:write | Create, publish, rollback policies |
receipts:read | View consent receipts |
receipts:export | Export receipts (large result sets) |
webhooks:read | View webhook configuration |
webhooks:write | Create and update webhooks |
users:read | List account users |
users:write | Invite and remove users |
scan:trigger | Trigger scans via API |
admin | Full access — use sparingly |
Key expiry
Set an expiry date to limit the blast radius if a key is compromised. Expired keys stop working automatically.
Rotate keys regularly. To rotate: create a new key → update your integration → delete the old key.
Revoking a key
Account → API Keys → [Key name] → Revoke
Revocation is immediate. Any integration using the key will start receiving 401 Unauthorized responses.
Key security best practices
- Store keys in environment variables or a secrets manager, never in source code
- Use one key per integration (easier to revoke a single compromised key)
- Use the narrowest scope that works for your use case
- Set an expiry date for keys used in CI/CD pipelines