Skip to main content

Secret API Keys in BoxNCase Admin

Secure your BoxNCase store’s server-side integrations with properly managed secret API keys. Create authentication tokens for admin operations, manage comprehensive access permissions, and maintain security through proper key lifecycle management.

Overview

Secret API keys provide:
  • Full admin API access and permissions
  • Server-side authentication for secure operations
  • Comprehensive data and functionality access
  • User-specific key generation and management
  • Advanced security and audit capabilities
Target Audience: This guide is essential for developers and technical teams building server-side integrations and customizations for BoxNCase applications.

What is a Secret API Key?

Secret API Key Security: Secret keys provide full administrative access and require strict security measures: Key Characteristics:
  • Complete admin API access with full permissions
  • Server-side only usage - never expose in client code
  • User-specific generation tied to admin accounts
  • Sensitive operations and data manipulation capabilities
  • Audit trail linking actions to specific users
Critical Security Requirements:
  • Never include in client-side code or repositories
  • Store securely in server environment variables
  • Implement proper access controls and monitoring
  • Regular rotation for enhanced security
  • Immediate revocation if compromise suspected
Common Security Violations to Avoid:
  • Hardcoding keys in source code
  • Committing keys to version control
  • Sharing keys via email or chat
  • Using keys in client-side applications
  • Insufficient access logging and monitoring
API Integration: For secure implementation patterns, refer to the API Reference.

View Secret API Keys

To view the secret API keys of the currently logged-in user in the BoxNCase Partners Admin, go to Settings -> Secret API Keys. Here, you can see a list of all the secret API keys for the logged-in user. You can also search, filter, and sort the API keys to find the one you are looking for. Secret API keys list

Create Secret API Key

Key Generation Policy: Secret API key creation follows strict security policies: User-Specific Generation:
  • Keys are tied to the currently logged-in user account
  • One active secret key per user maximum
  • Direct correlation between user permissions and key access
  • Audit trail maintained for all key-based actions
Key Lifecycle Management:
  • Existing active keys must be revoked before creating new ones
  • Immediate key display upon creation (one-time only)
  • Secure storage responsibility transferred to user
  • No key recovery option - revoke and recreate if lost
Security Benefits:
  • Prevents key proliferation and management confusion
  • Clear accountability for API actions
  • Simplified key rotation processes
  • Reduced attack surface through limitation
To create a new secret API key for the currently logged-in user:
  1. Go to Settings -> Secret API Keys.
  2. Click the Create button at the top right.
  3. In the form that opens, enter the secret API key’s title.
  4. Once you’re done, click the Save button.
  5. You’ll get a pop-up with the secret API key. Copy it and store it securely before closing the pop-up, as you won’t be able to see it again.
Create secret API key form

View Secret API Key Details

To view the details of a secret API key:
  1. Go to Settings -> Secret API Keys.
  2. Click on a secret API key from the list.
This opens the secret API key’s details page where you can also manage the API key. Secret API key details page

Secret API Key Status

You can see the status of the secret API key at the top right of the first section in the details page. A secret API key’s status can be:
StatusDescription
ActiveKey is valid and provides full admin API access
RevokedKey has been permanently disabled for security
ExpiredKey validity period has ended and requires renewal

Edit Secret API Key

To edit a secret API key:
  1. Go to the secret API key’s details page.
  2. Click the ⋯ at the top right of the first section.
  3. Choose “Edit” from the dropdown.
  4. In the side window that opens, you can edit the secret API key’s title.
  5. Once you’re done, click the Save button.
Edit secret API key form

Revoke Secret API Key

Revoking a secret API key is irreversible. You can’t use the key in requests after revoking it or reactivate it. To revoke a secret API key:
  1. Go to the secret API key’s details page.
  2. Click the ⋯ at the top right of the first section.
  3. Choose “Revoke API key” from the dropdown.
  4. Confirm revoking the API key by clicking the “Revoke API key” button in the pop-up.

Delete Secret API Key

Deleting a secret API key is irreversible. You can only delete a secret API key after revoking it. To delete a secret API key:
  1. Go to the secret API key’s details page.
  2. Click the ⋯ at the top right of the first section.
  3. Choose “Delete” from the dropdown.
  4. Confirm deleting the API key by clicking the Delete button in the pop-up.f