Generate API Key
How organization ingestion keys work and how to operate them safely.
Organization-scoped access
Each tenant uses its own ingestion key for transaction monitoring requests.
Lifecycle visibility
WatchTower tracks creation, rotation, revocation, and last-used metadata for support and auditability.
Secure handling
Keep ingestion keys in backend config or a secret manager, never in browser code.
What the ingestion key is for
WatchTower uses organization-scoped API keys for transaction ingestion. These are separate from console session authentication.
Use the ingestion key for
- sending transaction events
- server-to-server integration
- simulator or staging traffic
Do not use the ingestion key for console pages or other session-authenticated workflows.
Key lifecycle
Supported operations
- generate
- rotate
- revoke
Operational metadata tracked by WatchTower
- whether a key exists
- when it was created
- when it was rotated
- when it was last used
Security practices
- store the key in your backend or secret manager
- never expose it in browser code
- rotate it when an integration owner changes
- restrict it with IP allowlisting where appropriate
If an ingestion key is exposed in client-side code or shared carelessly across environments, you weaken tenant isolation and make support incidents harder to contain.
Required headers
The idempotency key prevents duplicate ingestion when your platform retries requests.
Next step
Once the key exists, connect it to the simulator or your staging integration and validate that WatchTower receives the first transaction successfully.