API keys
Create, view, and revoke API keys in Settings, the paid-plan requirement, and security guidance.
API keys authenticate your code against the REST API. Each key is scoped to one workspace and acts on your behalf, so anyone holding a key can do what you can do in that workspace through the API. Treat keys like passwords.
Who can manage keys
Two things have to be true to create keys:
- Your role. You must be the owner or an admin of the workspace. Members do not see the API Keys section.
- Your plan. The workspace must be on a paid plan: Pro, Team, or Consultant (Internal workspaces also qualify). On a free workspace the section is hidden, and a key created before a downgrade returns
403with the codePAID_PLAN_REQUIRED.
See Plans & billing for plan details.
Creating a key
Keys live in Settings → API Keys.
- Select Create key.
- Give the key a recognizable name (for example,
CI pipeline). The name is how you tell your keys apart later, so make it specific. - Select Create key in the dialog.
The key is generated and shown to you once.
Copy it now
The key is shown only once
The full key appears exactly once, right after you create it. ForceVue stores only a hash plus the first few characters for display, so we cannot show it again or recover it. Copy it before you close the dialog.
Copy the key from the dialog and store it somewhere safe (a secrets manager, your CI provider's secret store, an environment variable). If you close the dialog without copying it, the key is gone. Revoke it and create a new one.
A full key looks like fvk_live_ followed by a random body. In the keys table you only ever see the prefix, for example fvk_live_aB3x…, which is enough to recognize a key without exposing it.
Viewing and revoking keys
The API Keys section lists every key for the workspace with its name, prefix, when it was created, and when it was last used. A workspace can have at most 10 active keys at once. Revoke one before creating another if you hit the limit.
To revoke a key, select the revoke button on its row and confirm. Revoking takes effect immediately: any application using that key loses access on its next request. Revoking cannot be undone.
Revoked keys stay in the list, marked as revoked, so you keep a record of what existed. They no longer authenticate.
Rotating a key
There is no in-place rotation. To rotate, create a new key, update your application to use it, confirm everything works, then revoke the old key. Because you can hold several active keys at once, you can cut over with no downtime.
Security guidance
- Treat keys like passwords. Anyone with a key can act in your workspace through the API.
- Never commit a key to source control. Keep keys in environment variables or a secrets manager, not in code or config files you check in.
- Use one key per application. Separate keys for separate uses let you revoke one without disrupting the others, and the last-used timestamp tells you which key is which.
- Rotate on suspicion. If a key might be exposed, revoke it immediately and create a replacement.
- Mind the role and plan gates. Keys keep working only while the workspace stays on a paid plan and you keep your access to it.
Where to go next
- REST API overview for base URL, auth, and the endpoint list.
- API reference for every endpoint with schemas and examples.
- Plans & billing for the plans that include API access.