Managing API Keys
API keys let you access Varai Sprints programmatically — to build integrations, automate workflows, or connect third-party tools. Each key authenticates requests on your behalf.
What are API keys for?
Use API keys when you want to:
- Connect Varai Sprints to other tools (Slack bots, CI/CD pipelines, custom scripts)
- Automate repetitive tasks (e.g., bulk creating tasks from a data source)
- Build internal dashboards that pull data from Varai Sprints
- Integrate with your own applications
API keys carry the same permissions as your user account — they can do anything you can do as a logged-in user.
API keys are like passwords. Never share them in public repositories, Slack messages, or emails. If a key is compromised, revoke it immediately and create a new one.
Creating an API key
- Go to Settings → API Keys.
- Click Create API Key.
- Enter a descriptive name for the key (e.g., "Slack integration", "CI pipeline", "Automation script").
- Optionally set an expiration date — the key will automatically stop working after this date.
- Click Create.
Your new API key is displayed once. Copy it and store it somewhere secure (e.g., a password manager or secret management tool like GitHub Secrets or AWS Secrets Manager).
The full API key value is only shown at the time of creation. If you close this dialog without copying the key, you cannot retrieve it again. You will need to create a new key.
Using an API key
Include the API key in the Authorization header of every request:
Authorization: Bearer your-api-key-here
Example (using curl):
GET https://your-varai-sprints-instance.com/api/v1/tasks
Authorization: Bearer vm_live_xxxxxxxxxxxxxxxxxxx
Listing your API keys
On the API Keys settings page, you can see all your active keys:
| Column | Description |
|---|---|
| Name | The label you gave the key |
| Created | When the key was created |
| Last used | When the key was last used to make a request |
| Expires | Expiration date (if set) |
| Status | Active or Expired |
The full key value is never shown again after creation — only the first and last few characters are displayed for identification (e.g., vm_live_xxx...yyy).
Revoking an API key
If a key is no longer needed, or if you suspect it has been compromised:
- Find the key in the API Keys list.
- Click Revoke.
- Confirm.
Revoking is immediate — any requests using that key will start returning 401 Unauthorized at once.
API key best practices
- Use a separate key per integration — this way, if one integration is compromised, you only need to revoke that one key
- Set expiration dates — for short-term integrations or scripts, set a key to expire automatically
- Name keys clearly — "automation-script-april-2026" is better than "key1"
- Rotate keys periodically — create a new key, update your integration, then revoke the old one
Rate limits on API keys
API requests made with API keys are subject to the same rate limits as regular user sessions. If your integration makes a high volume of requests, requests may be throttled.
If you need higher rate limits for a specific integration, contact your workspace admin.