Skip to main content

API Keys

API keys allow applications and scripts to authenticate with the Optra Edge Portal programmatically. Use them to integrate external tools, automate workflows, or interact with the portal's API without a browser session.

note

Each API key carries admin-level access to your organization. Treat them with the same care as a password.

Who can manage API keys

The Admin role is required to generate, view, and revoke API keys.

If you do not see the API Keys button on the Users page, the feature may not be enabled for your organization. Contact your administrator or Optra Support to have it enabled.

Where to find API keys

There are two entry points to the API Keys panel:

  1. From the Users page — Click the Users tab in the top navigation bar. The API Keys button appears in the page header. This manages keys scoped to the current organization.

  2. From your Profile page — Click your name or avatar in the top-right corner to open your profile. An API Keys button appears in the profile header when you are on a personal account and the feature is enabled.

Generate a new API key

  1. Navigate to the API Keys panel (see Where to find API keys above).

  2. Click Generate Key.

  3. The new key is displayed immediately.

  4. Copy the key and store it somewhere secure.

Using your API key

API keys authenticate requests to the Optra Edge Portal's GraphQL API. Include the key as an HTTP header named api-secret on every request.

POST /graphql
Content-Type: application/json
api-secret: <your-api-key>

{"query": "{ ... }"}

For example, using curl:

curl -X POST https://<your-portal-api-url>/graphql \
  -H "Content-Type: application/json" \
  -H "api-secret: <your-api-key>" \
  -d '{"query": "{ devices { data { id name } } }"}'

Replace <your-portal-api-url> with the base URL of your Optra Edge Portal API and <your-api-key> with the secret value from the API Keys panel.

Revoke an API key

Revoking a key permanently deletes it. Any application or script using that key will lose access immediately.

  1. Navigate to the API Keys panel.
  2. Locate the key you want to remove.
  3. Click the Revoke button next to that key.
  4. Confirm the action when prompted.
warning

Revoking a key is permanent and cannot be undone. If you need access again, you must generate a new key and update any applications that were using the old one.

Security best practices

  • Treat API keys like passwords. Anyone with a key has admin-level access to your organization.
  • Store keys securely. Save the secret value in environment variables or a secrets manager — never commit it to source control.
  • Use one key per integration. Assigning a dedicated key per application makes it easier to revoke a single key without disrupting other integrations.
  • Revoke keys you no longer use. Unused keys are unnecessary risk. Revoke them promptly when an integration is decommissioned.
  • Rotate keys periodically. Revoke and regenerate keys on a regular schedule or immediately if you suspect a key has been compromised.