API Keys: Creation, Expiry, Security Limits, and Request Limits

1) How to create an API key

1. Go to Organisation Settings → API.

2. Click Create API Key.

3. Enter a clear key name (example: BrightGauge Integration).

4. Choose an expiry duration:

   • 1 month

   • 3 months

   • 6 months

   • 12 months (default)

5. Save the key.

6. Copy the key immediately, it is only shown once.

2) Expiry behavior

• API keys now have an expiry date.

• Default expiry is 12 months.

• You can choose 1, 3, 6, or 12 months at creation time.

• Once expired, a key:

  • stops authenticating API requests

  • is shown as Expired in the API key list

• Regenerating a key resets its expiry to the default 12 months.

3) Security retry limits and lockout behavior

When a key is invalid, revoked, or expired, the API returns an authentication failure.

Important:
There is no permanent account/key lockout after failed retries.
Instead, the API enforces rate limits (throttling). If too many requests are made in a short period, requests are temporarily blocked with HTTP 429 Too Many Requests.

This protects against brute-force and excessive retry attempts.

4) Request limits (rate limiting)

Current API request limits are:

• Unauthenticated requests: 30 requests/minute

• Authenticated API key requests: 120 requests/minute

If you exceed these limits, the API returns:

• 429 Too Many Requests

Then wait and retry after the throttle window resets.

5) Practical recommendations

• Rotate keys regularly (do not wait until the last day).

• Set shorter expiry for temporary integrations.

• Store keys in a secret manager (not in source code).

• Monitor for 401 and 429 responses in your integration logs.

• If possible, spread polling intervals to avoid burst traffic.