Skip to content

API Keys

API keys let you authenticate programmatic requests to Governance Studio without using your login credentials. Any user can generate their own API keys from their User Profile.

An API key inherits the same role-based permissions as the user who created it. This means an API key can only perform actions its owner is authorized to perform in the interface — for example, an API key generated by an Implementation Owner cannot be used to submit a review, since determining control outcomes requires an Audit Owner role. Learn more about Roles and Permissions.

Treat API keys like passwords: store them in a secrets manager, avoid sharing them between users, rotate them when ownership changes, and revoke any key that has been exposed or is no longer in use.

Key concepts and actions associated with API Keys include:

  • Generating an API Key
  • Viewing API Keys
  • Revokeing an API Key
  • Service Accounts

To generate an API key:

  1. Select the profile dropdown → Select User Profile
  2. Under API Keys , select Generate API Key
  3. Enter a Key Name
  4. Enter a Description explaining what the key will be used for
  5. Select Generate Key

Once generated, your key is shown once. Copy and store it securely — Governance Studio does not display the full key value again.

API Keys lists every key you’ve generated, along with:

  • Key ID: A partial, non-sensitive identifier used to distinguish keys (for example, ak_d76f31a3...)
  • Created: When the key was generated
  • Last Used: The most recent time the key was used
  • Revoked: When the key was revoked
  • Status: Active or Revoked

Use the search bar to find a key by name, description, or ID, or filter the list by status.

Revoking a key is permanent and cannot be undone.

To revoke an API key:

  1. Under API Keys, locate the key and select Revoke
  2. Type the key’s name to confirm
  3. Select Revoke

Some platform integrations use service accounts rather than user-owned API keys. Service accounts are managed by platform operators and documented with Auth Service. They are not a replacement for assigning correct project roles to human users.