API keys for Workflow

Programmatic credentials for Workflow API

For machine-to-machine communication, you can create API keypairs for your Workflow Account or Board from the Workflow Web UI's Administration Settings-section. These keys can then be exchanged into access tokens using the Authorization Server's token -endpoint with Client Credentials Grant.

Keys created are owned by the Workflow account or board they were created for and cease to exist at the latest if their owning board or account is closed.

You can generate both account and board-specific API keypairs from the Workflow Web UI, using Administration -> Settings -> API keys screen from under Board settings or Account settings, depending on which type of API key you want to create.

In order to see API keys for an account, your user account needs to have full account administrator permissions for that Workflow account. In order to see API access management for a board, your user account needs to have full Admin role for the Workflow board, either explicitly or inherited from an account admin status.

You can also individually enable or disable specific keypair, to temporarily prevent access to the API data using those credentials, add a comment describing the key's purpose and edit the scopes that a key can request when getting an access token.

If the given API keypair is no longer needed or in use, you can also remove it completely.

❗️

Removing API keypair is an irreversible operation

Once removed, a keypair cannot be recovered and used again, and all clients using that keypair will cease to be able to access data from the API unless a new set of credentials is used instead.

🚧

Mind the security in handling API keys

API keypairs should be considered security-sensitive information as they potentially will allow any party holding the credentials to have full administrative access to a given board or account. To ensure that keys don't have any greater permissions than strictly necessary, always select an appropriate set of scopes that enable the keypair to perform its intended function but do not grant broader rights than that.

For this reason, only users with board admin or account admin roles can see and generate API keypairs in the Workflow Web UI, and you should guard access to the generated credentials.