Manage API Keys

API keys enable external systems to interact with the platform programmatically. This guide covers creating, using, monitoring, and revoking API keys.

Creating API Keys

Navigate to Settings → API Keys in the admin dashboard
Click Create New Key
Enter a descriptive name for the key (e.g., “CRM Integration”, “Mobile App”)
Select a role: Agent, Broker, or Admin
Assign to a brokerage (required for broker/agent keys)
Click Create
Copy the generated key immediately
Store it securely (password manager, encrypted vault)

Key Naming Best Practices

Choose names that identify:

What system uses it: “Zapier Integration”, “Mobile App”
Who requested it: “John’s CRM Access”
When it was created: “Production API - Jan 2024”

Good examples:

“CRM Integration - Production”
“Sarah’s Development Key”
“Third-Party Analytics Service”

Using API Keys

Include your API key in the X-API-Key header with every request:

curl -H "X-API-Key: idx_your_key_here" \
     https://api.your-domain.com/api/properties

Integration Examples

const response = await fetch('https://api.your-domain.com/api/properties', {
  headers: {
    'X-API-Key': 'idx_your_key_here'
  }
});
const data = await response.json();

import requests

headers = {'X-API-Key': 'idx_your_key_here'}
response = requests.get(
    'https://api.your-domain.com/api/properties',
    headers=headers
)
data = response.json()

curl -H "X-API-Key: idx_your_key_here" \
     https://api.your-domain.com/api/properties

Monitoring API Usage

Track API activity in the admin dashboard to identify issues and optimize integrations.

Viewing Usage Metrics

Navigate to Settings → API Keys to see:

Request counts — Total requests per key per time period
Error rates — Percentage of 4xx and 5xx responses
Response times — Average latency for successful requests
Usage trends — Graphs showing request volume over time

Key Performance Indicators

Metric	What to Watch For
Request Count	Sudden spikes may indicate runaway scripts
Error Rate	>5% suggests integration problems
Response Time	>1s indicates performance issues
Last Used	Keys unused for 90+ days should be reviewed

Setting Up Alerts

Configure notification preferences in Settings → Notifications
Enable alerts for:
- Rate limit exceeded
- Unusual request patterns
- High error rates
- Suspicious activity

Handling Rate Limits

When your integration approaches or exceeds rate limits:

Check Rate Limit Status

Rate limit headers are included in every API response:

HTTP/1.1 200 OK
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 95
X-RateLimit-Reset: 1640995200

Implement Exponential Backoff

When you hit a rate limit (429 response):

Parse the Retry-After header
Wait the specified duration
Retry the request
If still failing, double the wait time
Maximum retry: 5 attempts

Example implementation:

async function makeRequest(url, attempt = 1) {
  const response = await fetch(url, {
    headers: { 'X-API-Key': apiKey }
  });

  if (response.status === 429 && attempt < 5) {
    const retryAfter = response.headers.get('Retry-After') || 60;
    await sleep(retryAfter * 1000);
    return makeRequest(url, attempt + 1);
  }

  return response;
}

Request a Limit Increase

If legitimate usage requires higher limits:

Contact your administrator
Provide justification (use case, expected volume)
Demonstrate current usage patterns
Limits can be adjusted per-key in admin settings

Revoking Keys

Disable keys that are compromised, unused, or no longer needed.

When to Revoke

Employee/contractor leaves the organization
Integration is decommissioned
Key may have been exposed (committed to git, logged, etc.)
Suspicious activity detected
Routine security audit (rotate keys periodically)

Revocation Process

Navigate to Settings → API Keys
Find the key in the list
Click the Revoke button
Confirm the action
Update any active integrations using that key

Revoked keys stop working immediately. Any integrations using that key will receive 401 Unauthorized responses.

Key Rotation

Regularly rotating API keys improves security.

Rotation Schedule

Critical systems: Every 90 days
Development keys: Every 180 days
Low-risk integrations: Annually
Immediately: On suspected compromise

Rotation Workflow

Create a new API key with the same permissions
Update integration to use the new key
Test that the integration works with the new key
Monitor for any issues (24-48 hours)
Revoke the old key
Document the rotation in your security log

Security Best Practices

Do’s

Use minimum required role — Don’t use admin keys for read-only operations
Rotate keys regularly — Especially after team changes
Monitor for anomalies — Review usage logs weekly
Use HTTPS only — Never send credentials over unencrypted connections
Store securely — Use environment variables or secret management services

Don’ts

Never expose keys in client-side code — Use server-side proxies instead
Don’t commit keys to version control — Add to .gitignore
Don’t share keys between services — Create separate keys for each integration
Don’t log API keys — Redact them in application logs
Don’t email or message keys — Use secure sharing methods

If a Key is Compromised

Immediately revoke the compromised key
Review recent activity for the key in usage logs
Create a new key with the same permissions
Update integrations to use the new key
Investigate how the compromise occurred
Document the incident for security audit

API Key Reference — Key format, permissions, and rate limits
API Key Security — Security model and risk assessment
API Overview — Complete API documentation