API keys let your code, scripts or external tools talk to the Zendrhax API without using login credentials.
Who can access/api-keys: only the workspace Owner. Workspace Admins do not have access to this page. Plan requirement: the workspace's plan must include thetenant_api_keys(orapi_access) feature. On plans without it, attempts to create a key returnfeature_not_available.
Per-plan quotas
The platform plan caps how many active API keys a workspace can hold at once:
| Plan | Active API keys |
|---|---|
| Free | 1 |
| Starter | 5 |
| Pro | 20 |
| Enterprise | unlimited |
You can always revoke a key to free up a slot.
Create a key
- Sign in as the workspace Owner.
- Open
/api-keys. - Type a name ("Zapier integration", "Internal dashboard", etc.) and click Generate.
The full plaintext key is shown once on the next screen. The format is sk_ followed by 64 hex characters. Copy it immediately — we only store the SHA-256 hash, so we cannot display it to you again. If you lose it, revoke the key and generate a new one.
Use a key
Send it as the Authorization: Bearer <key> header on every API request:
GET /api/invoices HTTP/1.1
Host: app.zendrhax.com
Authorization: Bearer sk_a1b2c3d4e5f6...The key is scoped to the workspace it was created in. It cannot read or modify data from any other workspace, even if you also belong to those.
Revoke a key
- Open
/api-keys. - Click Revoke on the row of the key you want to disable.
A revoked key is dead immediately — anything still using it gets 401 Unauthorized on its next request. Revoking also frees up the slot toward your plan quota.
Security best practice
- One key per integration. If a key leaks you revoke just that one without breaking the rest.
- Never commit a key to a public git repo. GitHub auto-scans for secrets, but a leaked key is a leaked key.
- Rotate keys when someone with access leaves. Same as passwords.
- Use rate-limit headers the API returns to back off before tripping the limiter.