API Keys

API Keys provide programmatic access to GrowPanel's REST API. Use API keys to integrate GrowPanel with your own systems, automate data exports, or build custom dashboards.

Accessing API keys

Navigate to Account → API Keys to manage your keys.

API key list

The page displays all API keys for your account:

Creating an API key

Step 1: Click Create

Click the Create API Key button.

Step 2: Enter a name

Give your key a descriptive name that identifies its purpose:

• "Production integration"
• "Google Sheets extension"
• "Internal dashboard"
• "Zapier automation"

Step 3: Copy your key

After creation, your API key is displayed once:

1. Copy the key immediately
2. Store it securely (password manager, secrets vault)
3. Click Done

Important: You cannot retrieve the full key after this dialog closes. If you lose it, you'll need to regenerate or create a new key.

Using API keys

Authentication

Include your API key in the Authorization header:

curl https://api.growpanel.io/v1/reports/mrr \
  -H "Authorization: Bearer YOUR_API_KEY"

What you can do with the API

API keys provide access to:

• Reports - Fetch MRR, ARR, churn, and other metrics
• Customers - List and retrieve customer data
• Data - Push data via Custom API integration
• Account - Read account information

See the REST API documentation for complete endpoint reference.

Managing API keys

Copy a key

If you need to use a key again:

1. Click the Copy button next to the key
2. A partial key is copied (enough to identify it)
3. If you need the full key, you must regenerate

Note: For security, full keys are not stored and cannot be retrieved.

Regenerate a key

To get a new key value while keeping the same name:

1. Click Regenerate next to the key
2. Confirm the action
3. Copy the new key immediately
4. Update your integrations with the new key

Warning: The old key stops working immediately. Regenerate only when necessary.

Delete a key

To permanently remove an API key:

1. Click Delete next to the key
2. Confirm the deletion

The key stops working immediately and cannot be recovered.

Best practices

Use descriptive names

Name keys by their purpose or the system using them:

• Good: "Production Slack integration"
• Bad: "API key 1"

This helps you identify which keys are in use and where.

One key per integration

Create separate keys for each integration:

• If one key is compromised, you only need to rotate one
• Easier to track usage per integration
• Simpler to decommission old integrations

Rotate keys periodically

For security, rotate API keys every 90 days:

1. Create a new key with the same name + "(new)"
2. Update your integration to use the new key
3. Verify the integration works
4. Delete the old key

Monitor usage

Check the "Last used" column to identify:

• Keys that are actively in use
• Keys that haven't been used (may be safe to delete)
• Unexpected usage patterns

Secure storage

Never store API keys in:

• Source code repositories
• Unencrypted configuration files
• Email or chat messages
• Shared documents

Instead, use:

• Environment variables
• Secrets managers (AWS Secrets Manager, HashiCorp Vault)
• Password managers
• Encrypted configuration

Security

Key exposure

If you suspect a key has been exposed:

1. Regenerate or delete the key immediately
2. Review API logs for unauthorized access
3. Check for unexpected data changes
4. Create a new key for legitimate uses

Rate limiting

API keys are subject to rate limits:

• Requests are limited per minute and per day
• Exceeding limits returns a 429 error
• See Rate limiting for details

IP restrictions

Currently, API keys work from any IP address. Contact support if you need IP allowlisting for enterprise security requirements.

Who can manage API keys

Related pages

• REST API documentation - Complete API reference
• Custom API integration - Push data via API
• Google Sheets integration - Uses API keys
• Team - Role permissions