API Keys — Generate & Manage Access Tokens
API Keys let you interact with CloakMetric programmatically. Create keys with specific permissions and expiration dates to integrate CloakMetric into your workflows. Available on Business and Enterprise plans.
Creating an API Key
Section titled “Creating an API Key”- Go to Settings > API Keys.
- Click Create API Key.
- Enter a descriptive name (e.g., “CI/CD Pipeline”, “Internal Tool”).
- Select a permission level.
- Choose an expiration period.
- Click Create.
Permission Levels
Section titled “Permission Levels”| Level | Read | Create/Update | Delete |
|---|---|---|---|
| Read-only | Yes | No | No |
| Standard | Yes | Yes (aliases, campaigns) | No |
| Full Access | Yes | Yes (all resources) | Yes |
Read-only
Section titled “Read-only”Can query aliases, campaigns, email logs, and analytics. Cannot make any changes.
Standard
Section titled “Standard”Can create and update aliases and campaigns. Cannot delete resources or access sensitive settings.
Full Access
Section titled “Full Access”Complete access to all API endpoints, including deleting aliases, managing domains, and workspace settings.
Expiration Options
Section titled “Expiration Options”| Option | Duration |
|---|---|
| No expiration | Key never expires |
| 30 days | Expires after 30 days |
| 90 days | Expires after 90 days |
| 180 days | Expires after 180 days |
| 1 year | Expires after 365 days |
Expired keys are automatically disabled. You can create a new key at any time.
Rate Limiting
Section titled “Rate Limiting”All API keys are rate-limited to 1,000 requests per hour by default. If you exceed this limit, requests will return a 429 Too Many Requests response.
Enterprise customers can request custom rate limits through their account manager.
Managing API Keys
Section titled “Managing API Keys”Viewing Keys
Section titled “Viewing Keys”The API Keys page shows all your keys with:
- Name — Descriptive label you set
- Permission level — Read-only, Standard, or Full Access
- Created date
- Last used — When the key was last used
- Total calls — Number of API calls made with this key
- Status — Active or Revoked
Revoking a Key
Section titled “Revoking a Key”Revoke a key to disable it without deleting it. Revoked keys can be referenced for audit purposes but cannot make API calls.
- Find the key in the list.
- Click Revoke.
- Confirm.
Deleting a Key
Section titled “Deleting a Key”Permanently remove a key and its usage history.
- Find the key in the list.
- Click Delete.
- Confirm.
Security Best Practices
Section titled “Security Best Practices”- Use the minimum permission level needed. Don’t create Full Access keys if Standard will do.
- Set expiration dates. Rotate keys regularly.
- Never commit keys to source control. Use environment variables or secret managers.
- Revoke compromised keys immediately. If a key is exposed, revoke it and create a replacement.