API Security

The API Security page allows you to apply granular security policies to your API keys. By configuring these settings, you can control precisely where your keys can be used from and what actions they are authorised to perform. This helps you enforce the principle of least privilege, significantly strengthening the security of your integration and protecting your data.

This guide explains how to configure access controls and event permissions for your different API key types.

Accessing the API Security Page

  1. From the main Workspace Overview, navigate to the left-hand sidebar.

  2. Click the Infrastructure icon .

  3. In the sub-menu that appears, select API Security.

Understanding API Key Types

The API Security page is organised by the type of API key. You can set independent security policies for each. The two main types are:

  • Integration Write-Only API Key: Used for services that only need to send (write) data to your workspace, such as a backend server tracking events.

  • Integration Read & Write API Key: Used for services that need to both send (write) data and retrieve (read) data.

Configuring Security Policies

The configuration process is the same for both key types but applies only to the key specified in the section header.

To begin configuring a policy, click the Edit button in the top-right corner of the relevant key section.

Access Control (IP Whitelisting)

This setting allows you to restrict key usage to a specific list of IP addresses.

  1. Under Access Control, select the Specific locations radio button. A table for adding IP addresses will appear.

  2. Click the Add IP address button.

  3. In the New Allowed IP Address modal, enter the following:

    • IPv4 address: The IP address you want to add to the whitelist (e.g., 192.168.0.1).

    • Description: A memorable name to help you identify the IP address later (e.g., "Production API Server").

  4. Click Add. The IP address will now appear in your list.

  5. Repeat these steps for all required IP addresses.

To remove an IP address from the list, click the Remove button next to it and confirm the action in the pop-up dialogue.

Allowed Profile Events (Event Filtering)

This feature allows you to limit which specific profile events a key is permitted to send. If an attempt is made to send an event not on this list using this key, the request will be rejected.

  1. Under Allowed Profile Events, select the Specific Profile Events radio button.

  2. An input field will appear. Start typing the name of an event you want to allow (e.g., user_returned). A list of matching, existing events will appear for you to select from.

  3. Click the desired event name from the list, or click Add if it's a new event.

  4. The event will be added to the allowed list below the input field.

  5. Repeat for all events you wish to permit for this key.

Saving Your Changes

After you have finished configuring the policies for a key, a Save Changes button will be visible at the top of its section.

Click Save Changes to apply your new security configuration.

PreviousData APINextAudience

Last updated