RemlloDocs
Book demo
OverviewCore ConceptsIntegration OptionsAPI ReferenceOperationsSecurityGo-Live
DocsWatchTowerGenerate API Key

Generate API Key

How organization ingestion keys work, how to rotate them, and how to keep transaction ingestion secure.

Organization-scoped access

Each tenant uses its own ingestion key, keeping transaction ingestion scoped to one organization.

Lifecycle visibility

Creation, rotation, revocation, and last-used metadata support operations and audit review.

Server-side secret

Keep ingestion keys in backend configuration or a secret manager, never in browser or mobile code.

Section

What the ingestion key is for

WatchTower uses organization-scoped API keys for machine-to-machine transaction ingestion. These keys identify the organization receiving the event and are separate from console login sessions.

Use the ingestion key for

  • server-to-server transaction ingestion
  • controlled simulator traffic
  • staging and production integration traffic
  • backend middleware that forwards events into WatchTower

Do not use it for

  • browser code
  • mobile apps
  • public frontend configuration
  • console login or user sessions
Server-side only

An ingestion key is a production secret. It should live only in backend configuration or a secret manager, never in client-side code.

Section

Required ingestion headers

The API key authenticates the organization. The idempotency key protects against duplicate ingestion when retries happen.

Send these on every ingestion request
x-api-key
idempotency-key
content-type: application/json
Section

Key lifecycle

Supported operations

  • generate an initial key
  • rotate an active key
  • revoke a compromised or unused key
  • review key status and last-used metadata

Rotate a key when

  • an integration owner changes
  • a secret may have been exposed
  • you are moving from staging to production
  • a vendor or middleware environment is retired
Section

Environment separation

Use separate keys per environment. A staging or sandbox key should not be reused in production, and production traffic should not be replayed into a non-production workspace without explicit approval.

Section

Operational controls

  • store keys in a secret manager or backend environment configuration
  • restrict source IPs where an allowlist is available
  • monitor last-used metadata during rollout
  • review audit logs after key generation, rotation, and revocation
Section

Relevant API routes

Organization key management
/api/v1/orgs/api-key/generate
/api/v1/orgs/api-key/rotate
/api/v1/orgs/api-key
Next UpConnect Simulator