Manage API keys
API keys give external tools and scripts programmatic access to Vera without requiring a user login. As a Vera administrator, you create and manage keys from the API Keys page. You control who gets a key, what they can do with it, and when it expires.
For an overview of how the public API works from the integrator's perspective, see Vera public API.
Before you start
You need the Site Administrator role to manage API keys. For information about Vera roles, see Vera roles.
Go to the API Keys page
To open the API Keys page, follow these steps:
-
In the navigation menu, select API Keys.
The page lists all existing keys with the following columns: Prefix, Name, User, Scopes, Status, Created, Expires, and Last used.
Create an API key
When you create a key, Vera displays the full key value once. Copy it immediately and share it with the integrator through a secure channel. You can't retrieve the key value again after you close the dialog.
To create a key, follow these steps:
-
On the API Keys page, select Create API key.
-
Fill in the key details:
-
Name: a short, descriptive label for the key.
-
Description: optional context about the key's intended use.
-
User: the Vera user the key runs as. The key inherits this user's permissions.
-
Scopes: the operations the key is allowed to perform.
-
Expiration: optional date after which the key stops working.
-
Rate limit override: optional per-minute request limit for this key. Leave blank to use the default.
-
IP allowlist: optional comma-separated list of allowed IP addresses or CIDR ranges. Requests from other IPs are rejected.
-
-
Select Create.
-
Copy the key value from the confirmation dialog and send it to the integrator. Select Done when finished.
The key value is only shown once. If the integrator loses it, you need to rotate or recreate the key.
Edit an API key
Update the following fields at any time: name, description, scopes, active or inactive status, rate limit override, and IP allowlist. The key value, the bound user, and the creation date are fixed and can't be changed after creation.
To edit a key, follow these steps:
-
On the API Keys page, find the key you want to change.
-
Select the edit icon for that key.
-
Update the fields you want to change, then select Save.
Rotate an API key
Rotate a key when it's been compromised or when your security policy requires regular key renewal. When you rotate a key, Vera generates a new key value and starts a grace period during which the old key continues to work. After the grace period ends, the old key is deactivated automatically.
To rotate a key, follow these steps:
-
On the API Keys page, find the key you want to rotate.
-
Select Rotate for that key.
-
Set the Grace period in hours. This is how long the old key remains valid after rotation.
-
Select Rotate to confirm.
-
Copy the new key value from the confirmation dialog and share it with the integrator. Select Done when finished.
Revoke an API key
Revoke a key to permanently block it. A revoked key can't be reactivated. If you need access again later, create a new key.
To revoke a key, follow these steps:
-
On the API Keys page, find the key you want to revoke.
-
Select Revoke for that key.
-
Confirm the revocation when prompted.
API key statuses
The Status column shows the current state of each key:
|
Status |
Meaning |
|---|---|
|
Active |
The key works and can make API requests. |
|
Expiring soon |
The key will expire shortly. Notify the integrator so they can plan for a replacement. |
|
Expired |
The key passed its expiration date and no longer works. |
|
Inactive |
The key was manually deactivated. You can reactivate it by editing the key. |
|
Revoked |
The key was permanently revoked. It can't be reactivated. |
|
Auto-revoked |
The bound user was deactivated or deleted, so Vera revoked the key automatically. |
What's next
Now that you've set up your API keys, here's what you can do next:
-
Vera public API with your integrators so they understand how authentication, authorization, and rate limits work.
-
Audit History to review key management actions.