Navigate to Settings → API Access → Generate Key. Choose a descriptive label (e.g., ci-pipeline-prod) and assign permissions: read, write, or admin. The full key is displayed exactly once upon creation. Copy it immediately — it cannot be recovered later.

Rotate keys every 90 days, or immediately after any team member departure. Generate a replacement key first, update all integrations, then revoke the old key. Use the bulk-revoke endpoint POST /v2/api-keys/revoke with an array of key IDs to retire multiple tokens in a single request. The revocation takes effect within 60 seconds across all edge nodes.

Each key carries a unique fingerprint visible in the audit log at /v2/audit/api-keys. Logs record timestamp, source IP, requested endpoint, and response status. Keys with no activity for 60 days are flagged as dormant and can be bulk-disabled from the dashboard. Set up Slack or email alerts for anomalous patterns — such as requests from unfamiliar geolocations or sudden spikes above your baseline of 2,400 requests per hour.

Send your key exclusively via the Authorization: Bearer <token> header. Never embed keys in URL query strings — they persist in browser history, server access logs, and proxy logs. All JSON-Werkstatt endpoints reject keys passed as query parameters and return 401 Unauthorized with error code ERR_KEY_MISPLACED.

Every request to api.json-werkstatt.de must use HTTPS. The API rejects plaintext HTTP connections with a 403 and redirects to the secure endpoint. Pin the server certificate in production environments where possible. Our TLS configuration supports ECDHE-RSA-AES256-GCM-SHA384 and rotates certificates monthly via Let's Encrypt.

Never commit keys to version control. Use environment variables (JSON_WERKSTATT_API_KEY) or a secrets manager such as HashiCorp Vault, AWS Secrets Manager, or GitHub Actions secrets. For local development, store keys in a .env file listed in .gitignore. Keys stored in plain-text configuration files on shared machines should be rotated within 24 hours of discovery.

Create separate keys for each service or environment. Your CI/CD pipeline needs write access to transform schemas, but the analytics dashboard only requires read. A key with admin scope should be reserved for incident response and used through short-lived access tokens generated via POST /v2/sessions/short-lived with a maximum lifetime of 15 minutes.

Navigate to Settings → API Access → Generate Key. Choose a descriptive label (e.g., ci-pipeline-prod) and assign permissions: read, write, or admin. The full key is displayed exactly once upon creation. Copy it immediately — it cannot be recovered later.

Rotate keys every 90 days, or immediately after any team member departure. Generate a replacement key first, update all integrations, then revoke the old key. Use the bulk-revoke endpoint POST /v2/api-keys/revoke with an array of key IDs to retire multiple tokens in a single request. Revocation takes effect within 60 seconds across all edge nodes.

Each key carries a unique fingerprint visible in the audit log at /v2/audit/api-keys. Logs record timestamp, source IP, requested endpoint, and response status. Keys with no activity for 60 days are flagged as dormant and can be bulk-disabled from the dashboard. Set up Slack or email alerts for anomalous patterns — such as requests from unfamiliar geolocations or sudden spikes above your baseline of 2,400 requests per hour.

Send your key exclusively via the Authorization: Bearer <token> header. Never embed keys in URL query strings — they persist in browser history, server access logs, and proxy logs. All JSON-Werkstatt endpoints reject keys passed as query parameters and return 401 Unauthorized with error code ERR_KEY_MISPLACED.

Every request to api.json-werkstatt.de must use HTTPS. The API rejects plaintext HTTP connections with a 403 and redirects to the secure endpoint. Pin the server certificate in production environments where possible. Our TLS configuration supports ECDHE-RSA-AES256-GCM-SHA384 and rotates certificates monthly via Let's Encrypt.

Never commit keys to version control. Use environment variables (JSON_WERKSTATT_API_KEY) or a secrets manager such as HashiCorp Vault, AWS Secrets Manager, or GitHub Actions secrets. For local development, store keys in a .env file listed in .gitignore. Keys stored in plain-text configuration files on shared machines should be rotated within 24 hours of discovery.

Create separate keys for each service or environment. Your CI/CD pipeline needs write access to transform schemas, but the analytics dashboard only requires read. A key with admin scope should be reserved for incident response and used through short-lived access tokens generated via POST /v2/sessions/short-lived with a maximum lifetime of 15 minutes.