API Keys
API keys let external systems authenticate with the Fynex REST API for machine-to-machine integrations. Each key is scoped to specific permissions and tied to your organization.
Creating an API Key
- Go to Settings > Integrations.
- In the API Keys section, click Create API Key.
- Enter a descriptive name (e.g., "CRM Sync" or "Reporting Pipeline").
- Select the scopes your integration needs (see table below).
- Optionally set an expiry date. Keys without an expiry remain valid until revoked.
- Click Create.
WARNING
The full API key is shown only once. Copy it immediately and store it in a secure location (e.g., a secrets manager or environment variable). You cannot retrieve it later.
Scopes
Each scope grants access to a specific set of API operations. Assign only the scopes your integration requires.
| Scope | Description |
|---|---|
accounts:read | List and read account data |
accounts:write | Create and update accounts |
contacts:read | List and read contact information |
contacts:write | Create and update contacts |
payments:write | Register payments against accounts |
import | Bulk import accounts via the import endpoint |
export | Export accounts and interaction data |
webhooks:manage | Create, update, and delete webhook subscriptions |
Using Your API Key
Include the key in the X-API-Key header of every HTTP request:
curl -H "X-API-Key: fynex_k_abc123..." \
https://api.fynex.solutions/api/v1/accountsAll API responses include standard HTTP status codes. A 401 response means the key is missing, invalid, or expired. A 403 means the key lacks the required scope for the requested operation.
Rate Limits
API key requests are rate-limited to 100 requests per 15-minute window. If you exceed this limit, the API returns a 429 Too Many Requests response with a Retry-After header indicating when you can resume.
Revoking a Key
- Go to Settings > Integrations.
- Find the key in the API Keys list.
- Click the Revoke button and confirm.
Revoked keys are immediately invalidated. Any requests using a revoked key will receive a 401 response.
Best Practices
- Use least privilege — Only grant the scopes your integration actually needs.
- Rotate regularly — Create new keys and revoke old ones on a regular schedule (e.g., every 90 days).
- Never commit keys to source control — Store them in environment variables or a secrets manager.
- Use separate keys per integration — If one integration is compromised, you can revoke its key without affecting others.
- Set expiry dates — For temporary integrations or contractor access, set an expiry so the key auto-expires.
- Monitor usage — Review your API key list periodically and revoke any keys that are no longer in use.
TIP
If an API key is accidentally exposed, revoke it immediately from Settings > Integrations and create a replacement.