Developer Guide
API Keys
Create and manage API keys for SuitePortal API access
API Keys
API keys provide programmatic access to the SuitePortal REST API. Keys are scoped to an organization and automatically apply row-level security.
Key Format
sp-{timestamp}-{hash}Example:
sp-1703123456789-abc123def456Key Properties
| Property | Value |
|---|---|
| Prefix | sp-{timestamp}- |
| Default expiration | 30 days |
| Organization scope | Required |
| Rate limiting | Disabled |
| Metadata | Supported |
Creating API Keys
Via Dashboard
- Navigate to Settings → API Keys
- Click Create API Key
- Enter a descriptive name (e.g., "Production Server", "Development")
- Click Create
- Copy the key immediately — it will not be shown again
Key Organization Scope
API keys are automatically associated with your active organization. The key inherits:
organizationId— The organization the key belongs totenantId— Derived from the organization for data access
Using API Keys
Authorization Header
Authorization: Bearer sp-1703123456789-abc123def456cURL Example
curl -X GET "https://suiteportal.io/api/v1/invoices" \
-H "Authorization: Bearer sp-1703123456789-abc123def456"JavaScript/TypeScript
const response = await fetch('https://suiteportal.io/api/v1/invoices', {
headers: {
'Authorization': `Bearer ${process.env.SUITEPORTAL_API_KEY}`,
},
});Python
import requests
response = requests.get(
'https://suiteportal.io/api/v1/invoices',
headers={'Authorization': f'Bearer {os.environ["SUITEPORTAL_API_KEY"]}'}
)Managing Keys
View Keys
- Navigate to Settings → API Keys
- View list of active keys
Displayed information:
- Key name
- Created date
- Last used
- Expiration status
Revoke Keys
- Navigate to Settings → API Keys
- Find the key to revoke
- Click Revoke or Delete
- Confirm the action
Revoked keys are immediately invalidated.
Key Expiration
| Setting | Default |
|---|---|
| Default expiration | 30 days from creation |
| Custom expiration | TODO: Not yet supported |
| Automatic renewal | Not supported |
Create new keys before expiration to maintain access.
Data Access
API keys inherit the organization's portal type for row-level security:
| Portal Type | Data Access |
|---|---|
| Tenant | All transactions for the tenant |
| Customer | Transactions where entity = customer ID |
| Vendor | Transactions where entity = vendor ID |
Security Best Practices
Do
- Store keys in environment variables
- Use different keys for development/staging/production
- Rotate keys periodically (e.g., monthly)
- Revoke keys when no longer needed
- Name keys descriptively (e.g., "CI/CD Pipeline", "Analytics Server")
Don't
- Commit keys to version control
- Share keys via email or chat
- Use the same key across multiple applications
- Log keys in application output
- Embed keys in client-side code
Environment Variables
Recommended environment variable naming:
# .env
SUITEPORTAL_API_KEY=sp-1703123456789-abc123def456
# Or with environment suffix
SUITEPORTAL_API_KEY_DEV=sp-...
SUITEPORTAL_API_KEY_PROD=sp-...Troubleshooting
"API key required"
- Ensure
Authorizationheader is present - Check header format:
Bearer sp-...
"Invalid API key"
- Key may be revoked or expired
- Verify key is copied correctly (no extra spaces)
- Create a new key if necessary
"Access denied"
- User who created the key may have been removed from organization
- Organization may have been deleted
- Contact administrator to verify membership
Related
- Authentication - Authentication overview
- API Overview - Using the REST API