> For clean Markdown of any page, append .md to the page URL. > For a complete documentation index, see https://docs.cloudraker.com/llms.txt. > For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://docs.cloudraker.com/_mcp/server. # API keys An **API key** is a credential that lets an outside system — a script, an integration, or another app — work with RakerOne on its own. The key is not a person. It carries its own permissions and acts as its own identity, and the things it does are recorded under its name. Use an API key when you want another system to do something in RakerOne without a person clicking through the app — for example, a service that starts a [playbook run from a webhook](/playbooks/triggers), or a tool that pushes records in. The whole **Admin** group, including this page, is admin-only. If you don't see it, ask an admin. ## The API keys page Open **Admin → API keys** in the sidebar. The page lists every key in your organization. Each row shows: * **Name** — what the key is for. * **Permissions** — small badges for what the key can do. A key that can act as a user shows a **Can impersonate** badge; a key with no permissions shows **No permissions**. * **Last used** — when the key last called RakerOne, or **Never** if it hasn't yet. * **Created** — when the key was made. * A **Revoke** button. If there are no keys yet, you'll see **No API keys yet** with a prompt to create one. The badges show *which* permissions a key has, not what each one means. For the meaning of every permission, see [Roles and permissions](/admin/roles-and-permissions). Give a key only the permissions it actually needs. ## Create a key On the **API keys** page, click **Create API key** in the top right. Enter a **Name** that says what the key is for — for example, "Data import service." The name is how you'll recognize the key in the table and how its actions are recorded, so make it descriptive. Under **Permissions**, tick only the capabilities this key needs. Each checkbox maps to one capability — the same capabilities described in [Roles and permissions](/admin/roles-and-permissions). Grant the fewest you can; you can always create a separate key for a different job. Leave **Can impersonate users** off unless you specifically need it. When it's on, the key can act on behalf of a named user, and those actions are recorded under that person instead of the key. Click **Create key**. The dialog moves to a second screen showing the key value. ## Copy the key now After you create a key, RakerOne shows you the full value once, on a screen titled **Copy your API key**. This is the only time you'll see the full key. RakerOne can't show it to you again. Click **Copy** and store the key somewhere safe before you close the dialog. If you lose it, you'll have to revoke the key and create a new one. On this screen, click **Copy** (it changes to **Copied**), paste the key into your secure store, then click **Done** to close. Clicking outside the dialog won't close it here — that's deliberate, so you don't lose an uncopied key by accident. ## Revoke a key Revoke a key when it's no longer needed or might be exposed. Revoking takes effect at once. On the **API keys** table, click **Revoke** on the key's row. A dialog asks **Revoke this API key?** and warns that any system using the key will immediately lose access. Click **Revoke key** to confirm, or **Cancel** to keep it. Revoking is immediate and permanent. Any integration using that key stops working right away, and the key can't be brought back. If you only meant to rotate the key, create the new one first, switch your integration over to it, then revoke the old one. You can't look up a key's value again — RakerOne never stores it in a way you can read. If a key is lost or you suspect it's been exposed, revoke it and create a fresh one. Update any system that used the old key with the new value. ## Where to go next See what each permission lets a key (or a person) do. Start playbook runs automatically from an outside system.