API Keys

Creating, managing, and revoking API keys for programmatic data ingestion

API keys authenticate requests to the Ingest API. Each key is scoped to a single account, ensuring that data submitted with the key is always stored in the correct account.

Creating an API Key

You need the Account Admin role (or higher) to create API keys.

1. Navigate to Account SettingsAPI Keys

2. Click Create API Key

3. Enter a descriptive name (e.g., "Invoice Processing Bot", "Production Scripts")

4. Click Create

5. Copy the key immediately — it will only be displayed once

The key format is: rpakey_ followed by a unique identifier (e.g., rpakey_a1b2c3d4xxxxxxxxxxxxxxxx).

> Important: Store your API key securely. If you lose it, you'll need to create a new one. RPA Watch stores only the hash of the key — it cannot be retrieved after creation.

Using an API Key

Include the key in the X-API-Key header of every Ingest API request:

curl https://rpawatch.com/api/v1/ingest/report \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "flow_id": "4de713a3-1a07-4282-8885-dfbaa7869a31",
    "status": "partial_success",
    "started_at": "2026-03-10T21:43:51.863Z",
    "finished_at": "2026-03-10T21:48:51.863Z",
    "target": "SAP",
    "source": "Excel Import",
    "robot_id": "YOUR_ROBOT_ID",
    "result_summary": "8 of 10 records processed successfully",
    "error_message": "2 records failed validation",
    "details": [
      {"sequence_no": 1, "record_id": "REC-001", "record_name": "Record 1", "status": "success", "result": "Created successfully"},
      {"sequence_no": 2, "record_id": "REC-002", "record_name": "Record 2", "status": "failed", "result": "ID validation failed", "error_message": "Invalid ID number"},
      {"sequence_no": 3, "record_id": "REC-003", "record_name": "Record 3", "status": "failed", "result": "Address check failed", "error_message": "Missing address info"}
    ]
  }'

Key Scoping

Account Scope

Every API key is tied to a specific account. When you submit data with an API key:

- The job is automatically associated with that account

- The process must belong to the same account

- No cross-account access is possible

Managing API Keys

Viewing Keys

Go to Account SettingsAPI Keys to see all keys for the current account. The list shows:

- Key name

- Key prefix (first 8 characters after rpakey_)

- Created date

- Last used date

- Active/inactive status

Deactivating a Key

To revoke access without deleting the key:

1. Find the key in the list

2. Click Deactivate

3. The key immediately stops working

4. Historical data submitted with the key is preserved

Deactivation is permanent — a deactivated key cannot be reactivated. Create a new key if needed.

Rate Limits

API keys are rate-limited to 60 requests per minute. If you exceed this limit, the API returns 429 Too Many Requests.

For high-volume scenarios, batch your data using the [One-Shot Report Endpoint](/docs/one-shot-report) which submits an entire job in a single request.

Security Best Practices

- Never commit API keys to source control — use environment variables or secret managers

- Use descriptive names — makes it easy to identify which system uses which key

- Rotate keys periodically — create a new key, update your systems, then deactivate the old one

- Use process-scoped keys when a key is only needed for a single process

- Deactivate unused keys immediately