Skip to main content

API Keys and Audit Logs

ProcureSwift exposes a REST API that lets third-party systems read and write procurement data programmatically. Access is controlled by API keys — long-lived secrets tied to a tenant, scoped to specific resources, and rate-limited per minute. Every call made with an API key is recorded in the API Audit Logs so administrators can see exactly what was done by which key.

Where to find it

  • API Keys: main menu → API Keys (/api-keys).
  • API Audit Logs: main menu → API Audit Logs (/api-audit-logs).

Both pages require the ApiKeys / View permission. Creating, revoking and deleting keys require ApiKeys / Create, ApiKeys / Manage and ApiKeys / Delete respectively.

Creating an API key

  1. Open API Keys and click Create API Key.
  2. Fill in the form:
    • Name — a label that identifies what this key is for (for example, Xero sync or Internal data export). Required.
    • Scopes — tick the resources and actions this key is allowed to perform. Leave all unticked to grant all scopes to the key. Available scopes:
      • purchase_orders:read, purchase_orders:write
      • invoices:read, invoices:write
      • catalog:read
      • delivery_notes:read, delivery_notes:write
      • quotations:read, quotations:write
      • proposals:read, proposals:write
      • rfqs:read, rfps:read
      • webhooks:manage
    • Expires At — optional date after which the key stops working. Leave blank for a non-expiring key.
    • Rate Limit / min — maximum number of requests this key can make per minute. Default is 100. Range is 1 to 10000.
  3. Click Create.
One-time secret display

Immediately after creation, the full API key value is shown once in a confirmation dialog. Copy it now and store it in a password manager or secret vault — the platform will never show it again. If the key is lost, revoke it and create a new one.

The key list shows only the key prefix (the first few characters) afterwards, so it is recognizable in logs without revealing the full secret.

Managing existing keys

The Active Keys table on /api-keys shows: Name, Key Prefix, Scopes, Expires, Status, Last Used, Rate Limit, Created.

Per-row actions:

  • Revoke (block icon) — immediately disables the key. Future requests with this key are rejected. Revoked keys stay in the list with status Revoked for audit purposes.
  • Delete (trash icon) — permanently removes the key record. Use this for cleanup after a revoked key has aged out of any active log retention window.

A key that has reached its expiration date is automatically inactive — the Expires column is shown in red.

Using an API key

Pass the key in the Authorization header on each API request:

Authorization: ApiKey <your-key>

Combined with the tenant identifier in the tenant header, this is enough for the server to authenticate and scope the request.

API Audit Logs

The API Audit Logs page records every HTTP request made with an API key. Each row shows:

  • API Key — name of the key used.
  • Method — HTTP method (GET / POST / PUT / DELETE), colour-coded.
  • Path — the endpoint that was called.
  • Status — HTTP status code, coloured by class (2xx green, 4xx amber, 5xx red).
  • IP Address — the client IP the call came from.
  • Duration — how long the call took, in milliseconds.
  • Timestamp — when the call happened.

Use the Filter by API Key dropdown to narrow the log to a single key.

The log is paginated (25 rows per page by default) and sorted by most recent first.

Tips

  • Create one key per integration, not one shared key for everything — that way revoking a compromised integration does not break the others.
  • Set narrow scopes. A read-only export script should get :read scopes only.
  • Use the rate limit to protect both the platform and the third-party system. A misbehaving script hitting the API in a tight loop is much easier to diagnose when it gets 429 Too Many Requests instead of bringing down a dependency.
  • Review the audit log periodically for unexpected paths or 4xx/5xx clusters — they often signal an integration that needs maintenance.

Permissions

ActionRequired permission
View keys, view audit logApiKeys / View
Create a new keyApiKeys / Create
Revoke a keyApiKeys / Manage
Delete a keyApiKeys / Delete
  • Webhooks — for receiving real-time event notifications from the platform.