This feature is in closed beta, so only selected clients can access it now. If you are interested in implementing it in the future, please contact our Support team.
Internal API keys are credentials generated in and managed by your VTEX account. This means you should have access to all pairs of API keys and tokens, which is akin to usernames and passwords for API integrations.
The Generated tab lists the API keys created by your account.
The page displays the following information in a table:
Column | Description |
---|---|
Key/Name | API key, followed by the name defined when creating the key. |
Token duration | Duration of the API token. |
Roles | Roles associated with the API key. |
Created date | API key created date. |
Status | API key status, which can be Active or Inactive. |
This page allows you to:
Generating keys
Follow the instructions below to create a new API key:
-
In the top bar of the VTEX Admin, click your profile avatar — indicated by the first letter of your email — and then click Account Settings > API Keys.
-
Make sure you are in the Generated tab.
-
Click
+ Generate Key
. -
Complete the Key identification field with a name to identify the API key. This field is required.
-
Select the roles that will be associated with the key. By default, no role is pre-selected.
Select only the roles required for the integration that will use the API key. Unrestricted use of overly permissive roles increases the risk of store attacks through leaked login credentials.
-
Click
Generate
. -
Click
Copy
to copy the API token to the clipboard. This secret will only be displayed once. Save it in a safe place. At this step, the key is already active and available for use. -
Click
Close
.
Editing generated keys
Follow the steps below to change an API key:
- In the top bar of the VTEX Admin, click your profile avatar — indicated by the first letter of your email — and then click Account Settings > API Keys.
- Make sure you are in the Generated tab.
- In the row of the desired API key, click the kebab menu (⋮) and then
Edit
. - Apply the desired changes from the options below:
- Change the role selection associated with the API key.
- Check or uncheck the Activate option to deactivate or activate the generated key.
- Click
Save
.
Deactivating or activating generated keys
If an API that has access to your account is compromised, you should immediately revoke its access to your account. You can generate a new key to replace the previous one if necessary.
If you make a mistake, you can reactivate the API key to reestablish the impacted integration.
Follow the steps below to change an API key:
-
In the top bar of the VTEX Admin, click your profile avatar — indicated by the first letter of your email — and then click Account Settings > API Keys.
-
Make sure you are in the Generated tab.
-
In the row of the desired API key, click the kebab menu (⋮) and choose one of the following actions:
- Deactivate: If the key is active, click
Deactivate
to deactivate it. This action will interrupt integrations using the key, so use it with caution. You need to clickDeactivate
again to confirm the action. - Activate: If the key is inactive, click
Activate
to activate it.
- Deactivate: If the key is active, click
You should only reactivate an API key if you are sure it has not been compromised. Anyone with the associated API token can access your account when the key is active.
Renewing tokens
The token associated with an API key is only valid during the period set when configuring the duration of API keys. You must renew the API token before it expires to maintain continuous access to resources and guarantee security.
To do this, follow the instructions described in Renewing API tokens.
Deleting keys
API keys that will no longer be used can be deleted. By deleting these keys, you can keep the list organized and make it easier to manage the keys in use.
Ensure the API key is no longer in use by any integration before deleting it. This action cannot be undone.
To delete an API key permanently, follow the steps below:
- In the top bar of the VTEX Admin, click your profile avatar — indicated by the first letter of your email — and then click Account Settings > API Keys.
- Make sure you are in the Generated tab.
- In the row of the desired API key, click the kebab menu (⋮) and then
Delete Key
. - Check the option I understand that this action cannot be undone.
- Click
Delete
to confirm.