Skip to main content

Overview

API credentials are used to authenticate requests to the Gather API. Credentials are scoped to your organization/team and can be created, listed, and revoked.
Credential management operations are performed via Eucalyptus (internal admin tool). Contact your Qualifi administrator to create or manage API credentials.

Create API Credentials

Create new API credentials for an organization/team. Endpoint: POST /qsi/gather/credentials
Access: Internal via Eucalyptus 
{
  "organizationId": "uuid",
  "teamId": "uuid",
  "name": "Production API Key",
  "permissions": ["read", "write"]
}
The API key is only returned once upon creation. Store it securely. If lost, you’ll need to create a new credential.

List API Credentials

List all API credentials for an organization. Endpoint: GET /qsi/gather/credentials
Access: Internal via Eucalyptus 
{
  "data": [
    {
      "id": "uuid",
      "name": "Production API Key",
      "organizationId": "uuid",
      "teamId": "uuid",
      "createdAt": "2024-01-01T00:00:00Z",
      "lastUsedAt": "2024-01-15T00:00:00Z"
    }
  ],
  "meta": {
    "requestId": "uuid",
    "timestamp": "2024-01-01T00:00:00Z"
  }
}

Revoke API Credentials

Revoke/delete an API credential. Endpoint: DELETE /qsi/gather/credentials/{credentialId}
Access: Internal via Eucalyptus
credentialId
string
required
UUID of the credential to revoke
{
  "data": {
    "id": "uuid",
    "revokedAt": "2024-01-01T00:00:00Z"
  },
  "meta": {
    "requestId": "uuid",
    "timestamp": "2024-01-01T00:00:00Z"
  }
}
Revoking a credential immediately invalidates all requests using that API key. Ensure you have alternative credentials before revoking.

Credential Properties

API Key Format

API keys are prefixed with qapi_ followed by a secure random string:
  • Example: qapi_abc123def456ghi789

Scope and Permissions

  • Organization Scope: Credentials are scoped to a specific organization
  • Team Scope: Credentials can be further scoped to a team within the organization
  • Permission Inheritance: API keys inherit permissions from the organization/team they’re associated with
  • Multiple Keys: Each organization/team can have multiple API keys

Security Best Practices

  1. Rotate Regularly: Rotate API keys periodically for security
  2. Use Separate Keys: Use different keys for different environments (production, staging)
  3. Monitor Usage: Regularly review credential usage and revoke unused keys
  4. Secure Storage: Never commit API keys to version control
  5. Least Privilege: Use keys with minimal required permissions

Authentication

Learn how to use API credentials for authentication

Best Practices

Review security best practices