API keys: Improvements for more security, control, and visibility

Júlia Rabello

Published on8/12/2025

•

Last updated on8/13/2025

3 min read

To optimize access credential management and increase security, we've enhanced the API keys experience. These updates are now available to all accounts.

${"base64":" ","img":{"width":1920,"height":1032,"type":"png","mime":"image/png","wUnits":"px","hUnits":"px","length":269129,"url":"https://raw.githubusercontent.com/vtexdocs/help-center-content/refs/heads/main/docs/en/announcements/2025/august/2025-08-12-api-keys-improvements-for-more-security-control-and-visibility_1.png"}}$

What has changed?

We've grouped the new features into three categories to improve security, simplify administration, and increase visibility of your API keys.

Now, instead of viewing the new token directly when generating and renewing it, you will receive a single-access link. This change aims to increase security when sharing sensitive data and reduce the attack surface.

The single-access link can be copied for later access or shared with the person who needs to use it. The link can only be accessed once, as it expires when clicked. If there are no interactions within 24 hours, the link also expires.

${"base64":" ","img":{"width":1920,"height":722,"type":"png","mime":"image/png","wUnits":"px","hUnits":"px","length":135330,"url":"https://raw.githubusercontent.com/vtexdocs/help-center-content/refs/heads/main/docs/en/announcements/2025/august/2025-08-12-api-keys-improvements-for-more-security-control-and-visibility_2.png"}}$

The official URL for accessing the token always follows the format share.vtex.com/credentials/{token}. The {token} is a random identifier generated when the key is created or renewed. Check the link format before accessing it to avoid phishing attempts or malicious pages.

Simpler management

API key export: Now you can generate an XLSX file containing information on both external API keys and the ones created in your account.
Enhanced search feature: The API key list now supports searching by nickname in addition to the original key name.

Alert optimization

Token renewal: We've removed the Token duration column to simplify key management. The system now shows renewal alerts based on the configured period (3 or 6 months), while maintaining the token's validity.

See below how alerts display in the API key row:

Pending token deletion: We've added alerts to notify you when the deletion of an old token is pending after renewal.

Why did we make this change?

We made these improvements to provide a more intuitive and complete experience for managing API keys, boosting operational security and efficiency.

The goal is to offer greater security and ease of use, including:

Increased protection when sharing tokens, reducing the risk of accidental exposure.
Streamlined collaboration between account management and development teams.

What needs to be done?

No action is needed. This update will be automatically applied to all accounts.

See the updated documentation to explore all features:

What has changed?

Secure sharing

Simpler management

Alert optimization

Why did we make this change?

What needs to be done?