> ## Documentation Index
> Fetch the complete documentation index at: https://docs.backline.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Access Keys

> Manage API access keys for Backline integrations

## Overview

Access Keys allow you to authenticate programmatic access to Backline's API and connect external tools to your Backline account. Create, manage, and revoke access keys to maintain secure integrations.

## What are Access Keys?

Access Keys are authentication credentials that enable:

* API access for custom integrations
* Programmatic interaction with Backline
* Integration with CI/CD pipelines
* Third-party tool connections
* Automated workflows and scripts

## Accessing Access Keys

<Steps>
  <Step title="Navigate to Settings">
    Click on **Settings** in the main navigation menu.
  </Step>

  <Step title="Select Access Keys">
    Choose **Access Keys** from the settings menu.
  </Step>

  <Step title="Manage Keys">
    View, create, or revoke access keys as needed.
  </Step>
</Steps>

## Creating an Access Key

<Steps>
  <Step title="Click Create">
    In the Access Keys page, click the **Create Access Key** button.
  </Step>

  <Step title="Name Your Key">
    Provide a descriptive name to identify the key's purpose (e.g., "CI/CD Pipeline", "External Scanner").
  </Step>

  <Step title="Set Permissions">
    Choose the appropriate permissions and scopes for this key.
  </Step>

  <Step title="Generate">
    Click **Generate** to create the access key.
  </Step>

  <Step title="Save the Key">
    Copy and securely store the generated key. You won't be able to view it again.
  </Step>
</Steps>

<Warning>
  Access keys are displayed only once during creation. Store them securely in a password manager or secrets vault. If you lose an access key, you'll need to create a new one.
</Warning>

## Managing Access Keys

### Viewing Active Keys

The Access Keys page displays:

* Key name and description
* Creation date
* Last used date
* Permissions and scopes
* Status (Active/Inactive)

### Revoking Access Keys

To revoke an access key:

<Steps>
  <Step title="Locate the Key">
    Find the key you want to revoke in the list.
  </Step>

  <Step title="Click Revoke">
    Click the **Revoke** or delete button next to the key.
  </Step>

  <Step title="Confirm">
    Confirm that you want to revoke the key.
  </Step>
</Steps>

<Note>
  Revoking an access key immediately invalidates it. Any integrations using that key will stop working until you provide a new key.
</Note>

## Best Practices

<AccordionGroup>
  <Accordion title="Use Descriptive Names">
    Name your access keys based on their purpose and where they're used. This makes it easier to identify and manage them later.

    Good examples:

    * "Production CI/CD Pipeline"
    * "Staging Environment Scanner"
    * "External Monitoring Tool"
  </Accordion>

  <Accordion title="Principle of Least Privilege">
    Grant only the minimum permissions necessary for each access key. If a key only needs to read vulnerabilities, don't give it write permissions.
  </Accordion>

  <Accordion title="Regular Rotation">
    Rotate access keys periodically (e.g., every 90 days) to maintain security. Create a new key, update your integrations, then revoke the old key.
  </Accordion>

  <Accordion title="Secure Storage">
    Never commit access keys to version control or share them in plain text. Use:

    * Environment variables
    * Secrets management systems (e.g., AWS Secrets Manager, HashiCorp Vault)
    * Secure password managers
  </Accordion>

  <Accordion title="Monitor Usage">
    Regularly review the "Last used" date for each key. Revoke keys that haven't been used recently to reduce your security surface.
  </Accordion>
</AccordionGroup>

## Use Cases

### External Monitoring

Use access keys to:

* Connect monitoring dashboards
* Export vulnerability data to external systems
* Integrate with security information and event management (SIEM) tools

### Custom Automation

Build custom scripts that:

* Generate security reports
* Automate remediation workflows
* Sync data with other systems

## Troubleshooting

### Authentication Failed

If you receive authentication errors:

1. Verify the access key is copied correctly (no extra spaces or characters)
2. Check that the key hasn't been revoked
3. Ensure the key has the necessary permissions for the requested operation
4. Confirm you're using the key in the correct API endpoint

### Key Not Working After Creation

If a newly created key isn't working:

1. Wait a few moments (key propagation may take seconds)
2. Verify you copied the entire key during creation
3. Check that you're using the correct API format and headers

## Security Considerations

* Access keys provide full access to your Backline account based on assigned permissions
* Treat access keys like passwords - never share them publicly
* If you suspect a key has been compromised, revoke it immediately
* Monitor API usage for unusual activity
* Use different keys for different purposes to limit potential damage if one is compromised