Praisma Hub LogoPraisma Hub

4.3.1 Integrations — API Keys & Tokens — Creating Keys — Scopes and Expiration

API Keys provide a controlled authentication mechanism for programmatic access to Praisma Hub APIs. Keys are intended for server-to-server integrations and automation where OAuth is not applicable. Each key is explicitly scoped and time-bound to minimize risk.

Key Creation

API keys are created through an explicit action by an authorized user. Key material is generated once and displayed only at creation time.

Key properties:

Unique identifier

Secret value

Assigned scopes

Optional expiration

Example creation:

$key = ApiKey::create([ 'tenant_id' => tenant('id'), 'name' => 'ci-integration', 'scopes' => ['content.read','content.write'], 'expires_at' => now()->addDays(90) ]);

Scope Definition

Scopes define the exact operations an API key may perform. Keys cannot exceed the privileges of the creating user.

Scope principles:

Least privilege

Explicit opt-in per capability

No wildcard scopes by default

Example scope check:

if (!$apiKey->allows('content.write')) { abort(403); }

Expiration and Validity

API keys may have fixed expiration dates or be non-expiring where policy allows. Expired keys are rejected deterministically.

Expiration behavior:

Enforced on every request

No grace period after expiry

Visible to administrators

Key Presentation and Storage

The secret portion of an API key is hashed before storage and never retrievable after creation.

Storage guarantees:

One-time secret visibility

Encrypted or hashed at rest

No logging of secrets

Usage Tracking

API key usage is tracked independently of user sessions.

Tracked metrics:

Requests per key

Scopes exercised

Error rates

Usage data supports auditing and anomaly detection.

Revocation

Keys may be revoked manually or automatically based on policy. Revocation is immediate and irreversible.

Revocation behavior:

Instant invalidation

No pending requests allowed

Logged for audit

Security and Isolation

API keys are tenant-scoped and cannot access resources outside their assigned context. Rate limiting and abuse detection apply equally to key-based access.