API keys

Alga PSA authenticates public REST API requests with API keys. You create a key in the Alga PSA app, copy it once, and then send it on each request in the X-API-Key header.

Where to create a key

For a normal integrator workflow, create the key from your own user profile in Alga PSA. In the current product UI, that setup flow lives under Profile → API Keys.

If you want the click-by-click product walkthrough, read Set up API keys in Alga PSA.

How keys authenticate requests

Include your key in the X-API-Key header. Requests with a missing or invalid key are rejected.

curl https://algapsa.com/api/v1/boards \
  -H "X-API-Key: $ALGA_API_KEY"

Permissions

API keys inherit the permissions of the user who created them. If a key cannot access an endpoint, first check whether the underlying user would be allowed to do the same thing in Alga PSA.

Storage and rotation

• Store keys in a password manager, secret manager, or environment variable store.
• Create separate keys for separate integrations.
• Rotate by creating a replacement key first, then deactivating the old one.
• Do not commit keys into source control or paste them into public issue trackers.

Related pages

• Set up API keys in Alga PSA
• Authentication