Skip to main content

API Access

API keys let your applications authenticate with the Harmony API for programmatic access. Each key can have its own permission level and rate limit.

How to access API settings

Click your workspace name in the top-left corner and select Workspace settings.
In the settings sidebar under Security & Trust, click API.

This opens the API Keys page where you can create and manage all your keys.

Creating an API key

To create a new API key in Harmony, start by navigating to the API Keys page — just look for the “+ Create API Key” button in the top-right corner. Give your key a clear and descriptive name so you’ll recognize what it’s for later on (for example, “Data Warehouse Sync” or “Custom Dashboard” are helpful names that explain the purpose of the key).

Next, you’ll have the option to assign a role to the API key. If you pick a role, the key automatically gets the same permissions as that role. If you decide to leave it as “No role,” then the key will use Harmony’s default permissions. This lets you control exactly what the API key can access.

You can also decide how many requests this key is allowed to make per minute by setting the rate limit. By default, this is set to 100 requests per minute, but you can adjust it based on your needs. This helps protect your workspace and make sure your applications run smoothly.

Harmony lets you add an expiration date for your API key if you want an extra layer of security. If you don’t set an expiration, the key will stay valid indefinitely until you decide to revoke it.

Once you’re happy with your settings, just click Create API Key.

You’ll only see your new API key once right after you create it, so be sure to copy it and store it somewhere safe.

Authentication

Include your API key in the Authorization header of every request:

Authorization: Bearer YOUR_API_KEY

Managing your keys

All created keys appear on the API Keys page. From here you can review each key's name, role, rate limit, and expiration. You can also revoke keys that are no longer needed.

If you suspect a key has been compromised, revoke it immediately and create a new one.

Security best practices

Store API keys in environment variables or a secrets manager — never hard-code them in your application or commit them to a code repository. Rotate keys periodically, especially for production systems. Use the role and rate limit settings to follow the principle of least privilege, giving each key only the access it needs.

API keys are scoped to your workspace. Harmony does not share API key data across workspaces or use it for any purpose other than authenticating your requests.