Managing Your API Key

Learn how to manage your API key to protect your account and maintain PCI and HIPAA compliance


April 12th 2021: Auth token becomes API key

We formerly referred to your API key as Auth token. Why the change? Ultimately, 'API key' is a more accurate representation of how we're actually authorizing your account to make calls to the API from a technical perspective. Therefore, while adding updates to API credentials, we decided to officially change the name in order to align with industry standards and better represent how our platform works.

What about your former Auth token? No worries! Your current API key string is the same as your former Auth token string and will not cause any breaking changes.

Protect your account from bad actors

Your account ID and API key are both unique to your account and are required for FreeClimb to authenticate requests sent by any of your applications. To keep your credentials safe, always store them in environment variables and never directly in your publicly available code. To further reduce the risk of a compromised API key, rotate your key every 90 days.

At any given time, you can have two API keys, allowing you to rotate your API key without any downtime in your applications.


It is strongly recommended that you delete your older API key once you've updated your applications with the new one to avoid compromised API credentials.

Maintain PCI and HIPAA compliance

Applications handling sensitive user data need to take steps to protect that data from potential breaches or leaks. Whether or not data is considered sensitive is sometimes up to the application developer, while other times it's governed by regulatory bodies. Regulated types of sensitive user data include Payment Card Industry (PCI) data, like credit card and account numbers, PINs and passcodes, and Protected Health Information (PHI), which is any individually identifiable health information and used as a basis for the Health Insurance Portability and Accountability Act (HIPAA).


FreeClimb developers building applications that process sensitive data should rotate their API key every 90 days to maintain compliance with the above regulatory bodies.

Viewing your API key

You can view your most recently created API key on your dashboard homepage.


Your dashboard homepage contains your account ID and most recently created API key

You can also view your API keys under Account > API Credentials.

Generating a new API key

Sign in to your Dashboard and go to Account > API Credentials. You will see your account ID and all current API keys under the API Credentials section.


The API credentials page contains both your account ID and API key(s)

If you only have one API key, you can use the Add Key button to get a new one.


The Add Key button allows you to add a second API key

Once you've successfully clicked Add in the resulting pop-up modal, a new API key will be generated. At this time, both keys will be live. This allows you to update your applications without any downtime.


Once you've created a new key and have successfully updated all your applications, we highly recommend deleting your old key for security purposes.

If you already have two API keys, you'll need to delete a key before you can generate a new one. Accounts are limited to only two API keys at one time to limit the possibility of bad actors finding and misusing your credentials.

Deleting an API key

FreeClimb accounts must have at least one API key at all times. Therefore, if you only have one API key and wish to delete it, you must first generate a new one and then delete the other.

Click the Delete button on the key you wish to delete.


The Delete button will permanently delete the key and remove it from your account

Once clicked, you will be prompted to provide your password. Entering your password and clicking the Delete button will permanently delete your key. Once keys are deleted, they cannot be returned to your account.