Skip to main content

Managing Client Permissions

Control which routes clients can access and manage API keys securely.

Route Permissions

Restrict Client to Specific Routes

Why? Give partner integrations access only to what they need. How:
  1. Edit client
  2. Under Allowed Routes, select specific routes
  3. Save
Now this client can only access those routes. Requests to other routes will be denied.

Route-Level Restrictions

You can also restrict from the route side:
  1. Edit a route
  2. Under Allowed Clients, select specific clients
  3. Save
Only those clients can access this route. Best practice: Use client-level restrictions for third parties, route-level for sensitive endpoints.

API Key Management

Viewing Keys

You can only see the last 8 characters: 
abc12345 → ********abc12345
This prevents accidentally exposing keys.

Rotating Keys

When to rotate:
  • Every 90 days (scheduled maintenance)
  • Suspected compromise
  • Employee offboarding
  • App decommission
How to rotate:
  1. Open client details
  2. Click Rotate Key
  3. Copy new key
  4. Update applications
  5. Old key stops working immediately
Pro tip: Generate new key first, update apps, then revoke old key.

Revoking Access

Temporary disable:
  1. Open client
  2. Click Disable
  3. Re-enable later if needed
Permanent removal:
  1. Click Delete Client
  2. Confirm
  3. Key is revoked immediately

Rate Limiting Per Client

Apply limits per client:
  1. Edit route
  2. Enable Rate Limiting
  3. Configure per-client limits:
    • Requests: 1000
    • Window: 60 seconds
    • Burst: 1200
Prevents abuse and ensures fair usage.

IP Allowlisting

Restrict client to specific IPs:
  1. Edit client
  2. Add Allowed IPs: 
    192.168.1.1
10.0.0.0/8
  3. Save
Only requests from those IPs will be accepted.

Monitoring Client Activity

Track client behavior:
  1. Go to Analytics
  2. Filter by client
  3. Monitor:
    • Request volume
    • Error rates
    • Response times
    • Geographic distribution

Set Up Alerts

Get notified of issues:
  • Error rate > 10% for this client
  • Unusual request volume
  • Requests from unexpected locations

Client Organization

Naming Convention

Use clear, consistent names: 
[env]-[app]-[version]
Examples:
  • prod-mobile-ios-v2
  • staging-web-app
  • partner-acme-integration

Use Descriptions

Document important details:
  • Purpose of this client
  • Owner/team
  • Created date
  • Next rotation date

Troubleshooting

“Invalid API Key”
  • Key was rotated or revoked
  • Check last 8 characters match
  • Verify client is enabled
“Access Denied”
  • Client lacks permission for this route
  • Check client’s allowed routes
  • Check route’s allowed clients
High Error Rate
  • Review client’s error logs
  • Check if backend is having issues
  • Consider disabling if abusive

Next Steps

  • Set up environments for per-env API keys
  • Learn about secrets for backend credentials
  • Configure monitoring and alerts

📊 Statistics

  • Views: 1
  • Helpful: 0 👍
  • Level: intermediate

🏷️ Tags

clients, permissions, security, api-keys