Guide
Manage API Access and the Public API
Create scoped workspace principals and use the public endpoints without giving away broader access than necessary.
Before you start
- Know which integration or script needs access and what it actually needs to do.
Do this
- Open
API Access. - Create a principal for the integration or service account.
- Give it only the scopes it needs:
incidents:readincidents:writeteams:readcatalog:read
- Set an expiry if the key should be temporary.
- Create the key and copy the revealed token when it is shown.
- Use the public API endpoints that match the scopes you granted, such as incident list and detail, incident status changes, team list, or catalog reads.
- Rotate or revoke the key when the integration changes or no longer needs access.
Check it worked
- The principal shows the right scopes and status.
- The key is active and the integration can reach only the allowed endpoints.
- Unused or old keys are easy to rotate or revoke.
If it does not work
- If requests are failing, confirm the key has the exact scope required for that endpoint.
- If a script needs more than one job, consider separate principals instead of one broad key.
- If the token is exposed, rotate it immediately.