Skip to main content

API Keys

The API Keys section (under Settings → Other) generates access tokens for the User Evaluation public API. Same surface our Zapier integration uses; you can call it directly from your own scripts.

Building an integration? Start at the API Overview and the Quickstart — they walk you from "I have a paid account" to "I'm reading transcripts in code" in five minutes.

Generating a key

In Settings → Other → API Keys, click Generate API Key. You'll be asked to give the key a name (e.g. "Zapier — onboarding study") so you can tell your keys apart later.

The full key is shown once, in a copy-once dialog. After that, the table only shows ue_live_••••••••<last4>. We can't recover the secret — if you lose it, generate a new key and revoke the old.

Keys are sensitive. Anyone with one can act on behalf of your workspace. Store keys in a secret manager (1Password, Doppler, AWS SSM). Never commit them to source control or paste them into shared chat.

Revoking a key

Click the trash icon in the Actions column. Revocation is immediate — any script using that key starts getting 401 unauthorized from the next request onward.

Rotating keys

Rotate keys periodically:

  1. Generate a new key (give it a date in the name).
  2. Roll the new key out to your client.
  3. After confirming traffic on the new key, revoke the old one.

Plan requirements

API keys can only be generated by admin or superadmin users on a paid plan. Free accounts and participants don't have access.

Auto-revocation

We auto-revoke keys that show signs of being leaked or misused — specifically, keys with sustained high error rates (lots of 401s/422s in a short window). This is a server-side protection; if a key stops working unexpectedly, generate a new one once you've found the leak.

Where keys work

API keys authenticate requests to:

  • The User Evaluation REST API at https://api.userevaluation.com/v1 (reference)
  • Zapier triggers and actions
  • Any first-party scripts you write

Usage stats

Each call you make is logged for 90 days. The API Usage section right below API Keys shows your last-24h and last-7d totals, error breakdowns, top endpoints, and the most recent 20 requests. Use it to spot integrations that are hitting rate limits or errors.

Security

  • Keys are scoped to your workspace, not your user. If you leave the workspace, an admin should revoke any keys you generated.
  • We store only a SHA-256 hash of each key on our side — we physically cannot reveal a key after creation.
  • We rate-limit per-key (60–1000 rpm depending on plan). See the rate limits doc.
  • You can optionally restrict a key to specific source IPs (currently via support; UI coming).