Skip to main content
Proper API key management is essential for maintaining security and access control. This guide covers viewing, monitoring, and revoking your API keys.

Viewing API Keys

Navigate to the API Keys page for your account:
  • Personal Account: /teams/~/api-keys
  • Team Account: /teams/[team-slug]/api-keys

Key Information Displayed

Each API key shows the following information:
Name
string
The display name you chose when creating the key
Key Value
string
Masked token value (e.g., deli_****...****abcd)
The full token is only shown once at creation time
Permissions
string
Summary of scopes assigned to the key:
  • “Full Access” for ["*"]
  • “X services” for service-level access
  • “X scopes” for granular permissions
Click to view detailed scope list
Created
timestamp
When the key was created
Last Used
date
When the key was last used
Helps identify unused keys for cleanup
Expires
date
Expiration date (or “Never” if no expiration)

Monitoring Usage

Last Used Timestamp

The “Last Used” column updates whenever the API key successfully authenticates a request. This helps you:
  • Identify Active Keys: See which keys are actively in use
  • Detect Unused Keys: Find keys that haven’t been used recently
  • Security Auditing: Track key usage patterns
  • Cleanup Planning: Identify candidates for revocation
Review the “Last Used” column monthly to identify and remove unused keys.

Permission Details

Click on any key’s permission summary to view the complete list of scopes: 
Full Access
├── * (all services and operations)

2 services
├── service-a:*
└── service-b:*

3 scopes
├── service:resource:read
├── service:resource:write
└── appcore:payment:update

Revoking API Keys

Revoking an API key is permanent and immediate. Any applications using the key will lose access immediately.

How to Revoke

  1. Navigate to the API Keys page
  2. Find the key you want to revoke
  3. Click the Delete button (trash icon)
  4. Confirm the deletion
The key is immediately revoked and can no longer be used for authentication.

When to Revoke

Revoke keys in these situations:
If a key has been exposed or leaked:
  1. Immediately revoke the compromised key
  2. Create a new key with the same permissions
  3. Update your applications with the new key
  4. Review recent usage for suspicious activity
If a key hasn’t been used in a long time:
  1. Verify the key is truly unused
  2. Check with your team if it’s a team key
  3. Revoke the key to reduce attack surface
When a project or service is retired:
  1. Document which keys were used
  2. Revoke all associated keys
  3. Remove keys from any documentation
When a team member leaves:
  1. Review keys created by the member
  2. Revoke personal keys if applicable
  3. Rotate shared keys they had access to
As part of security best practices:
  1. Create new keys with same permissions
  2. Update applications with new keys
  3. Revoke old keys after verification
  4. Document rotation date

Key Rotation

Key rotation is a security best practice that involves regularly replacing API keys.

Rotation Process

1

Create New Key

Generate a new API key with the same scopes as the old key
Name: "Production - Image Processing v2"
Scopes: Same as old key
Expiration: 1 year (or same as old key)
2

Update Applications

Update your applications to use the new key
# Example: Update environment variable
export DELINO_API_KEY="deli_new_key_value"

# Restart services
systemctl restart myapp
3

Test New Key

Verify the new key works correctly
# Test API call with new key
curl -H "Authorization: Bearer deli_new_key_value" \
  https://api.delino.io/...
4

Monitor Old Key

Wait 24-48 hours and monitor “Last Used” timestampIf old key is still being used:
  • Identify which service is using it
  • Update that service
  • Wait and verify again
5

Revoke Old Key

Once confirmed the old key is no longer used:
  1. Revoke the old key
  2. Monitor for any errors
  3. Document the rotation

Rotation Schedule

Recommended rotation frequencies:
EnvironmentFrequencyReason
Development30-90 daysFrequent changes, lower risk
Staging60-180 daysBalance of security and stability
Production90-365 daysStability critical, planned rotations
CI/CD60-180 daysAutomated environments easier to update
These are recommendations. Adjust based on your organization’s security policies.

Troubleshooting

Key Not Working

If an API key stops working:
  1. Check Expiration: Verify the key hasn’t expired
  2. Verify Scopes: Ensure the key has required permissions
  3. Test Authentication: Try a simple API call
  4. Check Last Used: See if it’s being used at all
  5. Review Logs: Check application logs for error messages

Permission Denied

If you get permission errors:
  1. Review Scopes: Check the key’s scope list
  2. Verify Endpoint: Ensure the endpoint matches a scope
  3. Check Wildcards: Understand wildcard coverage
  4. Contact Support: If scope seems correct but fails

Cannot Delete Key

If you cannot delete a key:
  1. Check Permissions: Ensure you have admin rights
  2. Verify Ownership: Confirm the key belongs to your account
  3. Try Again: Temporary network issues may occur

Best Practices Summary

Regular Audits

Review API keys monthly for unused or expired keys

Descriptive Names

Use names that identify purpose and version (e.g., “Production v2”)

Monitor Usage

Track “Last Used” to identify active and inactive keys

Rotate Regularly

Implement key rotation based on environment risk level

Document Keys

Maintain internal documentation of key purposes

Revoke Promptly

Remove unused keys immediately to reduce attack surface

Next Steps

Scope Reference

Complete list of available API key scopes