API keys enable programmatic access to LowerPlane’s API, allowing you to integrate compliance data into your internal tools, CI/CD pipelines, dashboards, and automated workflows.

Creating an API Key

1

Navigate to Settings > API Keys

Open the API key management page from the Settings menu.
2

Click Create API Key

Click Create API Key to open the key creation form.
3

Name the key

Give the key a descriptive name that identifies its purpose (e.g., “CI/CD Pipeline - Production”, “Internal Dashboard”, “Audit Export Script”).
4

Set permissions

Select the access level for the key. Choose the minimum permissions required for its intended use.
5

Set environment scope (optional)

If your organization uses multiple environments, scope the key to specific environments.
6

Set expiration (optional)

Configure an expiration date for the key. Expiring keys are a security best practice.
7

Create and copy the key

Click Create. The full API key is displayed once. Copy it immediately and store it securely.
The API key value is only shown once at creation time. If you lose it, you must create a new key. Store API keys in a secrets manager (HashiCorp Vault, AWS Secrets Manager, 1Password) rather than in code or plain text files.

Key Permissions

API keys can be configured with different permission levels:
PermissionDescriptionUse Case
Read-onlyCan read compliance data but cannot make changesDashboards, reporting, monitoring
Read-writeCan read and modify compliance dataAutomation scripts, CI/CD integrations
AdminFull API access including settings and user managementInternal platform integrations
Follow the principle of least privilege. Most integrations only need read-only access. Only grant read-write or admin permissions when the integration specifically requires them.

Environment Scoping

If your organization manages separate environments (production, staging, development), you can scope API keys to specific environments:
  • Production — Key can only access production compliance data
  • Staging — Key can only access staging environment data
  • All environments — Key can access data across all environments
Environment scoping prevents test or development automation from accidentally modifying production compliance data.

Managing API Keys

Viewing Active Keys

The API Keys page displays all active keys with:
ColumnDescription
NameThe descriptive name you assigned
PermissionsRead-only, read-write, or admin
CreatedWhen the key was created
Last usedWhen the key was last used to make an API call
ExpiresExpiration date (if set)
StatusActive or revoked

Revoking a Key

To immediately disable an API key:
  1. Find the key in the API Keys list.
  2. Click Revoke.
  3. Confirm the action.
The key is immediately invalidated. Any system using this key will receive authentication errors on the next API call.
Revoking a key is permanent. If you need the same access restored, create a new key and update the consuming system with the new credentials.

Key Rotation

Regular key rotation limits the impact of a compromised key. The recommended rotation process:
1

Create a new key

Create a new API key with the same permissions as the key being rotated.
2

Update the consuming system

Replace the old key with the new key in your integration, CI/CD pipeline, or script.
3

Verify the new key works

Confirm that the consuming system operates correctly with the new key.
4

Revoke the old key

Once the new key is verified, revoke the old key.
Set calendar reminders for key rotation. A common rotation schedule is every 90 days. Some compliance frameworks require rotation at least annually.

Using API Keys

Include the API key in the Authorization header of your HTTP requests: 
Authorization: Bearer lp_your_api_key_here
All API requests must be made over HTTPS. HTTP requests are rejected.

Common Use Cases

Use CasePermission NeededDescription
Compliance dashboardRead-onlyPull compliance scores and control status into an internal dashboard
Audit exportRead-onlyAutomate periodic export of evidence and test results for audit packages
CI/CD security gateRead-onlyCheck compliance status before deploying to production
Evidence uploadRead-writeAutomatically upload evidence from CI/CD pipelines or scripts
User provisioningAdminAutomate user invitations and role assignments

Security Best Practices

  • Never commit API keys to version control. Use environment variables or a secrets manager.
  • Use read-only keys whenever possible. Most integrations do not need write access.
  • Set expiration dates. Keys without expiration dates become a security risk over time.
  • Monitor the “last used” timestamp. Keys that have not been used in 90+ days should be reviewed and potentially revoked.
  • Rotate keys regularly. Replace keys at least annually, or every 90 days for high-privilege keys.
  • Revoke keys immediately when no longer needed. Do not leave unused keys active.

API Key Audit Trail

LowerPlane logs all API key management actions:
  • Key creation (who created it, when, with what permissions)
  • Key usage (last used timestamp, request count)
  • Key revocation (who revoked it, when)
This audit trail supports compliance requirements for access management and is available in audit packages.
If you suspect an API key has been compromised, revoke it immediately and create a new one. Review the audit logs for any unauthorized activity during the period the key may have been exposed.