How to Generate and Manage API Keys

How to Generate and Manage API Keys

API keys provide programmatic access to Carfluence without requiring user login. They are ideal for server-to-server integrations, automation scripts, and third-party tools.

Creating an API Key

Via API:

POST /api/v1/api-keys
Authorization: Bearer <admin-jwt>
Content-Type: application/json

{
  "name": "Partner Integration",
  "scopes": ["inventory:read", "dealers:read"],
  "rateLimitPerHour": 1000
}

Via Dashboard:

• 1Go to API Keys in the sidebar
• 2Click Create New Key
• 3Enter a descriptive name
• 4Select the scopes (permissions)
• 5Set the rate limit
• 6Click Create

The key is shown once — copy it immediately. It cannot be retrieved again.

Scoping Best Practices

Follow the principle of least privilege:

• •A read-only dashboard integration only needs inventory:read and dealers:read
• •A sync tool needs integrations:read and integrations:write
• •Only give admin scope when absolutely necessary

Rate Limits

Default: 1000 requests/hour. You can set custom limits per key:

• •Low-volume dashboards: 100/hour
• •Active integrations: 1000/hour
• •High-volume data pipelines: 5000/hour

Revoking Keys

DELETE /api/v1/api-keys/:id

Revocation is immediate. Any request using the revoked key will receive a 401 Unauthorized response.

Listing Keys

GET /api/v1/api-keys

Returns all keys (with the actual key value masked). Shows name, scopes, rate limit, last used timestamp, and creation date.

Security Notes

• •API keys are prefixed with cf_live_ for easy identification
• •Keys are hashed in the database — we cannot retrieve the original value
• •Rotate keys periodically (recommended: every 90 days)
• •Monitor the activity log for unusual API key usage patterns