Skip to main content
Keebai API keys are Personal Access Tokens (PATs): each user mints their own, with explicit scopes, revocable at any time. A token always acts with the identity of the user who created it.

Unlock developer mode

You need the developer.manage_tokens permission to see and manage tokens. It’s a new permission that a tenant admin has to grant you:
1

Ask an admin

They go to System Settings → Roles, open your role, check Manage API Tokens under Developer, and save.
2

Refresh your session

Log out and back in so the UI picks up the new permissions. You’ll see the Developer API banner at the bottom of System Settings.

Create a token

1

Open API Keys

Go to System Settings. Scroll to the Developer API banner and click Open API Keys. Direct URL: app.keebai.com/system-settings/api-keys.
2

Click Create API Key

A modal opens with three fields.
3

Name it

Give the token a descriptive name. It saves you headaches later when you have many active tokens. Examples: Zapier production, n8n nightly sync, Local dev.
4

Pick the scopes

Check only the permissions the token actually needs. Only the permissions your own user has are shown.
Least privilege wins. If your integration only reads messages, don’t grant write permissions. The tighter the scope, the smaller the blast radius if the token leaks.
5

Set expiration (optional)

We recommend 90 days. After that date the token stops working and you mint a new one. Leave it blank for no expiration.
6

Confirm and copy

Click Create token. Keebai shows the token once, with a Copy token button. Paste it into your secret manager before closing the modal.
This is the only time you’ll see the full token. If you lose it, revoke and create a new one.

Token anatomy

Tokens look like this: 
kbai_pk_a1b2c3d4e5f6...0123456789abcdef
  • kbai_pk_ prefix — identifies the Keebai format. Secret-scanning tools (GitHub secret scanning, gitleaks) recognize it automatically if the token ever lands in a public repo.
  • 64 hex chars — 32 bytes of entropy (256 bits). Not predictable.
After creation, you only see the prefix and the first 4 chars; the rest is hashed server-side.

List and audit your tokens

The API Keys table shows every token you’ve created (active and revoked):
ColumnMeaning
NameWhatever you typed at creation.
PrefixFirst 12 chars (kbai_pk_a1b2). Lets you ID it without exposing the secret.
ScopesPermissions assigned to the token.
Last usedTimestamp of the last successful request. Helps spot abandoned or suspicious tokens.
ExpiresExpiration date, or Never if not set.
StatusActive, Expired, or Revoked.

Revoke a token

If you suspect a leak, or you don’t need the token anymore:
1

Find the row

Look it up by name or prefix.
2

Click Revoke

In the last column, click Revoke. Confirm in the dialog.
3

Verify

The token stops working immediately — any further request with it returns 401 Unauthorized. The row stays in the table with status Revoked for audit; it isn’t deleted.

Best practices

  • One token per integration. Zapier + a local script + an internal cron? Three separate tokens. If one leaks, revoke just that one.
  • Rotate every 90 days. Even without an incident — mint the new one, update integrations, revoke the old.
  • Never on the client. These tokens are backend-to-backend. Don’t ship them inside a mobile app, a public SPA, or anything a user can inspect.
  • Proper storage. Secrets managers (AWS Secrets Manager, 1Password, GitHub Actions secrets, Vault) — never config files committed to the repo.
  • Watch Last used. Token marked unused for months? Revoke it. Token active outside of expected hours? Investigate.

Limits

  • Up to 10 active tokens per user. Hit the limit? Revoke one before creating a new one. Need more? Email support@keebai.com.
  • Revoked tokens don’t count toward the limit.