API Keys
Backoffice path: backoffice/settings/api-keys
Available to roles: System Administrator
Overview
API keys provide bearer-token authentication for the Airspace public API. Each key grants full access to the API -- there are no per-key scopes or permission restrictions. Keys can optionally be set to expire on a specific date, after which they are automatically rejected.
Use API keys when integrating external tools, scripts, or services with your airline's data. Treat them as sensitive credentials: a key grants the same level of API access as a programmatic system user.
Creating an API Key
- Navigate to
backoffice/settings/api-keys. - Click the Create API Key button.
- In the modal that appears, fill in the following fields:
| Field | Required | Description |
|---|---|---|
| Name | Yes | A descriptive label to identify the key's purpose (e.g., "Flight Sync Integration"). |
| Expires At | No | An optional expiration date. If set, the key will stop working after midnight UTC on this date. Leave blank for a non-expiring key. |
- Click Create. The newly generated key is displayed once in the confirmation dialog.
- Copy the key immediately and store it in a secure location (e.g., a password manager or secrets vault). The full key value is never shown again.
Key Format
API keys use the prefix ask_ followed by a random string, for a total length of 68 characters. Example format:
ask_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Security Notes
- The full key value is shown only once, immediately after creation. It cannot be retrieved later.
- If a key is lost, delete it and create a new one.
- Do not embed keys directly in client-side code or commit them to version control.
- Revoke any key that may have been exposed by deleting it immediately.
Using an API Key
Include the key in requests to the public API using one of the following methods:
X-API-Key Header (Recommended)
Pass the key as a custom request header:
GET /api/v1/flights HTTP/1.1
Host: your-tenant.airspace.example
X-API-Key: ask_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Query Parameter (Fallback)
Alternatively, pass the key as a query parameter. This method is less secure and should only be used when setting custom headers is not possible:
GET /api/v1/flights?api_key=ask_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Using the api_key query parameter may cause the key to appear in server logs, browser history, and referrer headers. Prefer the X-API-Key header whenever possible.
Managing Keys
The API Keys index page lists all keys created for your tenant, showing each key's name, creation date, expiration date (if set), and enabled status.
Enabling and Disabling
Each key has an Enable / Disable toggle. Disabling a key causes all API requests using that key to be rejected immediately, without deleting the key. Re-enabling it restores access. This is useful for temporarily suspending access without losing the key record.
Deleting a Key
Click the Delete button next to a key to permanently remove it. A confirmation prompt is shown before deletion proceeds. Once deleted, the key is immediately invalidated and cannot be recovered.
Expiration Behavior
If a key has an expiration date set, the API automatically rejects any request using that key once the date has passed. The key remains visible in the backoffice list with an expired status indicator. Expired keys can be deleted to keep the list tidy.
To extend access, delete the expired key and create a new one with a later expiration date.
Permissions
Access to the API Keys management page is restricted to the System Administrator role. Administrators and other roles cannot view or manage API keys.