Skip to main content
API keys (Personal Access Tokens) allow you to authenticate API requests without using your main account credentials. They provide secure, programmatic access to Delino services with fine-grained permission control.

How API Keys Work

API keys are Personal Access Tokens (PATs) that provide a secure way to authenticate API requests. Each key has:
  • Unique Token: A secure token value shown only once at creation
  • Display Name: A user-friendly name you choose
  • Scopes: Fine-grained permissions controlling what the key can access
  • Expiration: Optional expiration date

Permission Scopes

API keys use a scope-based permission system with the format: service:resource:action

Scope Levels

Grant complete access to all services and operations.Scope: ["*"]Use case: Development and testing environments
Grant access to all operations within specific services.Example: service:* - All operations for a specific serviceUse case: Production applications using specific services
Grant access to specific operations within services.Examples:
  • service:resource:action - Specific operation only
  • appcore:payment:update - Access billing portal only
Use case: Maximum security with minimal permissions

Wildcard Support

Scopes support wildcards for flexible permission management:
  • * - Full access to everything
  • service:* - All operations in a service
  • service:resource:* - All actions on a resource

Available Scopes

AppCore:
  • appcore:payment:update - Access billing portal URL
  • appcore:team:read - Read team information
  • appcore:team:write - Manage teams
For service-specific scopes, refer to each service’s documentation.

Security Features

Token Security

  • One-Time Display: Token value shown only at creation
  • Secure Storage: Tokens stored securely
  • Scope Validation: Every request validates required permissions

Expiration

  • Optional Expiration: Set expiration date or create non-expiring keys
  • Flexibility: Choose the expiration that fits your security needs

Best Practices

Principle of Least Privilege

Grant only the minimum scopes required for each use case

Separate Keys

Create different keys for different applications or environments

Descriptive Names

Use clear names that indicate the key’s purpose

Regular Rotation

Periodically rotate keys, especially for production use

Secure Storage

Store keys in environment variables or secure vaults

Revoke Unused Keys

Delete keys that are no longer needed

Common Use Cases

Development Environment

# Create a key with full access for development
Scopes: ["*"]
Name: "Development - Local"
Expiration: 30 days

Production Service

# Create a key with service-level access
Scopes: ["service:*"]
Name: "Production - Service Access"
Expiration: Never

CI/CD Pipeline

# Create a key with specific permissions
Scopes: ["service:resource:write"]
Name: "GitHub Actions - Main Pipeline"
Expiration: 1 year

Billing Portal Access

# Create a key for billing management
Scopes: ["appcore:payment:update"]
Name: "Finance Tool - Billing Portal"
Expiration: Never

Next Steps

Create API Key

Learn how to create your first API key

Manage Keys

View, rotate, and revoke API keys

Scope Reference

Complete list of available scopes