Introduction
What are API Keys?
Section titled What are API Keys?API Keys let you call Monkedo automations programmatically, without opening the visual editor. Each key belongs to your team and gives access only to the apps and actions you explicitly choose.
Every key has:
A secret token used in API requests (
Authorization: Bearer …)A name so you can tell keys apart (e.g. "Production", "Staging")
Per-app settings — which components are allowed and which connected account to use
What can you do with them?
Section titled What can you do with them?From your own code or infrastructure, you can:
Run actions — execute allowed automation steps (send an email, create a record, etc.)
Discover components — list available actions and read their input/output schemas
Manage triggers — register, list, and remove event-based triggers tied to your key
Management (creating, editing, deleting keys) is done in the Monkedo dashboard while logged in. Runtime calls use only the secret key you generate.
Who is this for?
Section titled Who is this for?Audience | Typical use |
|---|---|
Developers | Integrate Monkedo into a product or internal tool |
DevOps / platform teams | Run automations from CI/CD, cron jobs, or backend services |
Product teams | Offer automation features to customers without building every integration from scratch |
Team leads | Control exactly which apps and actions each integration can use |
Why use API Keys?
Section titled Why use API Keys?Challenge | How API Keys help |
|---|---|
You need automation outside the UI | Call Monkedo over a standard REST API |
You want to limit blast radius | Each key only reaches the apps and components you select |
You don't want to expose account credentials | Monkedo uses your pre-configured connections; callers never receive OAuth tokens or passwords |
A key may have been exposed | Regenerate it in one click — the old key stops working immediately |
You work across environments | Create separate keys for dev, staging, and production |
Security & trust
Section titled Security & trustMonkedo is designed so you stay in control:
Your key, your scope. Nothing is accessible through the API unless you add it to the key's configuration. Access is denied by default.
Secrets are protected. After creation or regeneration, the full key is shown once. Monkedo does not display it again in the dashboard or return it in list/detail responses.
Credentials stay on Monkedo's side. When an action needs a connected account, the key uses the connection you picked during setup. Your API consumers never handle raw login tokens.
Team boundaries are enforced. Keys belong to your team. Other teams cannot view or use your keys.
You can revoke access instantly. Deleting a key or regenerating it takes effect immediately. Associated triggers are cleaned up when a key or app is removed.
Connections are validated. If a linked account is expired, revoked, or missing required permissions, Monkedo surfaces that before you save — so you don't accidentally wire a key to a broken connection.
We recommend treating API keys like passwords: store them in a secrets manager, use one key per environment, grant the minimum components needed, and rotate or delete keys you no longer use.