Account and operations
Use API keys and signed webhooks
Create scoped integration credentials, verify signed webhook deliveries, and operate integrations without exposing secrets.
- For
- Workspace owners, admins, and integration developers
- Typical time
- 15 minutes
Before you start
- An eligible plan and workspace role
- A secure secret manager for credentials
Procedure
Step by step
Create a named API key
Use a purpose-specific name. Copy the plaintext value immediately and store it in a secret manager; the full value is not shown again.
Configure a webhook endpoint
Use HTTPS in production, select only required events, and store the signing secret securely.
Verify every delivery
Validate the timestamped HMAC signature against the raw request body, enforce the allowed time window, and reject mismatches before parsing or acting.
Test, observe, and rotate
Send a test event, inspect delivery status, rotate exposed secrets, and revoke unused keys. Do not place credentials in browser code or logs.
Delivery safety
Webhook retries can repeat an event, so consumers should be idempotent. Treat payloads as workspace data and avoid logging document content, private URLs, tokens, or credentials.
Related guides
- Manage workspaces, members, invitations, and rolesKeep work in the right workspace, invite teammates, assign least-privilege roles, and transfer ownership carefully.
- Manage account access, security, export, and deletionVerify account access, recover or change a password, export your documents, and understand permanent account deletion.
- Review, approve, and deliver Exchange workCompare immutable revisions, verify evidence, request changes, approve the right submission, and create controlled delivery access.
- Get support and report an accessibility barrierSend enough context for a useful response without putting confidential documents or sensitive credentials into the contact form.