Identity & Access

API Keys

How to create and manage API keys for programmatic access to the Bivariant platform — scoping, permissions, and best practices.

API keys provide programmatic access to the platform without interactive authentication. They are designed for server-to-server integrations, automation scripts, and external systems that need to interact with the platform API.

How API keys work

An API key is a long-lived credential that maps to a specific account and permission set. When included in an API request, the platform resolves the key to its owner and evaluates permissions as if the owner made the request.

Authorization: Bearer {api_key}

Creating API keys

API keys are created through the platform dashboard:

  1. Navigate to Settings → API Keys
  2. Click Create API Key
  3. Configure the key:
    • Name — a descriptive label (e.g., "CI/CD Pipeline", "CRM Sync")
    • Permissions — select the permissions the key should have
    • Expiration — optionally set an expiration date
  4. Copy the key value — it is shown only once

Scoping

API keys are scoped to constrain what they can access:

ScopeMeaning
OrganizationThe key operates within a specific organization
SpaceThe key is further restricted to a specific space
PermissionsOnly the selected permissions are available

A key scoped to a single space with collections:read can only read collection data in that space — nothing else.

Permission model

API key permissions follow the same resource:action format as role-based permissions:

collections:read
collections:create
flows:execute
agents:read

The key can never exceed the permissions of the account that created it. If the creating account has collections:read and collections:create, the key can be granted at most those two permissions.

Best practices

Use the minimum required permissions

Grant only the permissions the key actually needs. A key used to read collection data should not have flows:execute or collections:delete.

Set expiration dates

For temporary integrations or time-bound processes, set an expiration date. Expired keys are automatically invalidated.

Rotate keys regularly

Replace long-lived keys periodically. Create a new key, update your integration to use it, then revoke the old key.

Use descriptive names

Name keys after their purpose ("Zapier Sync", "Nightly Export") so you can identify and audit them later.

Revoke unused keys

Review active keys periodically. Revoke any key that is no longer in use.

Revoking API keys

To revoke an API key:

  1. Navigate to Settings → API Keys
  2. Find the key by name
  3. Click Revoke

Revocation is immediate. Any request using the revoked key will receive a 401 Unauthorized response.

Roles and Permissions

How role-based access control (RBAC) works in Bivariant — built-in roles, custom roles, permission format, and scope hierarchy.

Marketplace

How the Bivariant Marketplace works — discover, acquire, and distribute apps, integrations, and blueprints across organizations.

On this page

How API keys workCreating API keysScopingPermission modelBest practicesUse the minimum required permissionsSet expiration datesRotate keys regularlyUse descriptive namesRevoke unused keysRevoking API keysRelated concepts