Skip to content

API keys and logs

What API keys are for

API keys give access to the REST API without logging in as a user for each request. Each key is tied to an organisation (the source organisation). They are used for integrations, scripts, and any automated access.

Requests are executed in the context of the active organisation — the same source organisation or one of its subsidiaries. How this works: see Organisation and users. For first steps and endpoints: Setup and API Reference.

Using the key in requests

Send the API key in every request to the API. The usual way is a header:

  • Header: x-api-key: YOUR_API_KEY

Details on authentication and, if needed, the active organisation header are in API Reference.

!!! tip "API base URL" For the test system use https://xtool-test.invoice-portal.de/api; for production use https://xtool.invoice-portal.de/api. Keys are created in the web app under API within the organisation.

Creating and managing keys

  • Where — In the web app, open the API section (within the organisation). There you can create a new key and delete existing ones.
  • When creating — After creation the secret is shown once. Copy and store it in a secure place — it is not shown again later.
  • Scope — Keys are tied to one organisation. You can create multiple keys (e.g. for different integrations or environments). In the list, existing keys are shown partially (e.g. only the last characters).

!!! warning "Store the secret securely" Copy and store the API key secret when it is first shown. You cannot retrieve it later. Do not put it in version control or use it in client-side code.

API logs

Every API call is logged (which key, which method, time) for audit and debugging. In the web app you can view logs under Usage or API Logs. See Usage.