API Keys
Create and manage API keys for programmatic access to Penvio.
API keys are available on Business and Enterprise plans. Upgrade your plan to access this feature.
Overview
API keys enable:
- Programmatic access to Penvio APIs
- Integration with your applications
- Automated workflows
- Third-party service connections
Accessing API Keys
Organization admins and owners can manage API keys:
- Go to Organization Settings
- Click API Keys in the sidebar
- View and manage your organization’s keys
Creating an API Key
Open API Keys Page
Navigate to Organization Settings > API Keys
Create New Key
Click Create API Key
Configure Key
Enter key details:
- Name: Descriptive name (e.g., “Production Integration”)
- Description: Optional details about the key’s purpose
- Expiration: Set an expiry date or “Never expires”
Create
Click Create to generate the key
Copy Key
Important: Copy the key immediately. It will only be shown once.
The key format: penv_xxxxxxxxxxxxxxxxxxxx
The full API key is only displayed once when created. Store it securely immediately. If you lose it, you’ll need to create a new key.
Managing API Keys
Viewing Keys
The API Keys page shows:
- Key name
- Key prefix (first 8 characters)
- Created date
- Last used date
- Expiration status
Key Details
Click a key to view:
- Full configuration
- Usage statistics
- Activity history
Revoking Keys
To revoke a key:
- Find the key in the list
- Click the Revoke button
- Confirm revocation
Revoking a key is immediate and permanent. Any applications using that key will lose access.
Using API Keys
Authentication
Include the API key in request headers:
Authorization: Bearer penv_xxxxxxxxxxxxxxxxxxxxExample Request
curl -X GET https://api.penvio.io/v1/documents \
-H "Authorization: Bearer penv_xxxxxxxxxxxxxxxxxxxx"Security Best Practices
Key Management
| Practice | Description |
|---|---|
| Use descriptive names | Helps identify key purpose |
| Set expiration dates | Limits exposure if compromised |
| Create separate keys | Different keys for different integrations |
| Rotate regularly | Replace keys periodically |
| Revoke unused keys | Remove keys no longer needed |
Storage
| Do | Don’t |
|---|---|
| Store in secrets manager | Hardcode in source code |
| Use environment variables | Commit to version control |
| Encrypt at rest | Share via email/chat |
| Limit access to key | Give to untrusted parties |
Monitoring
- Review API key activity regularly
- Check for unusual usage patterns
- Set up alerts for suspicious activity
- Monitor failed authentication attempts
Rate Limits
API requests are rate limited by subscription tier:
| Tier | Rate Limit |
|---|---|
| Business | 2,000 requests per 15 minutes |
| Enterprise | 10,000 requests per 15 minutes |
Exceeding rate limits returns HTTP 429 responses.
API Key Permissions
API keys inherit organization-level permissions:
- Access to organization documents
- E-Sign API access
- Document operations
Keys cannot:
- Modify organization settings
- Manage other API keys
- Access other organizations
Audit Logging
All API key activity is logged:
- Key creation
- Key revocation
- API requests (success and failure)
- Rate limit violations
View logs in Organization Settings > Audit Logs.
Troubleshooting
Key Not Working
| Issue | Solution |
|---|---|
| 401 Unauthorized | Verify key is correct and not revoked |
| 403 Forbidden | Check key has required permissions |
| 429 Too Many Requests | Reduce request rate |
| Key expired | Create a new key |
Lost Key
If you’ve lost an API key:
- Create a new key
- Update your applications with the new key
- Revoke the old key
Tips
- Create separate keys for development and production
- Include purpose in key name (e.g., “CI/CD Pipeline”)
- Set calendar reminders for key expiration
- Document which systems use which keys
- Test key revocation in staging first