Setting Up an API Key Connection

Connect to services that use API keys or tokens.

Overview

An API key connection holds a long-lived credential (an API key, personal access token, or bearer token) that Spojit attaches to every request to the upstream service. Unlike OAuth, there is no authorization redirect and no automatic refresh; the key is valid until you (or the service) rotate it.

API key connections are the most common authentication type for SaaS and self-hosted services. Once saved, the key is encrypted at rest, never displayed again, and never included in workflow exports or execution logs. Workflows reference the connection by ID, so rotating the key does not require editing any workflow.

Before You Start

  • An API key, token, or equivalent credential issued by the upstream service.
  • Any additional values the service requires (e.g. store URL, region, account ID).
  • Confirmation that the key has the permission scopes your workflow will need.

Steps

  1. Go to Connections and click + Add Connection.
  2. Pick the connector from the catalog. Spojit displays the fields the connector requires.
  3. Paste your API key or token. Add any other required fields such as a base URL or account identifier.
  4. Give the connection a descriptive name (e.g. Stripe - Production) so teammates can tell instances apart.
  5. Click Save. Spojit makes a verification call against the service and marks the connection Active if it succeeds.

Where to Find Your API Key

Every service issues keys differently. Most expose them under Settings -> Developer, API, or Integrations. Refer to the specific connector article in the Connectors collection for the exact path and any required scopes.

Security

  • Encrypted at rest - Keys are stored in encrypted secret storage, never in plain text in the database.
  • Never displayed - After saving, the field is masked and cannot be retrieved through the UI or API.
  • Excluded from exports - Workflow exports reference connections by ID; credentials never travel with the workflow.
  • Excluded from logs - Execution logs record the connection used but never the underlying key.

Tips

  • Issue a dedicated API key per environment (production, staging, sandbox) and create a separate connection for each. The name should make the environment obvious.
  • Where the service supports scoped or restricted keys, use the narrowest scope your workflows need.
  • Rotate keys in place by editing the connection. Workflows continue working with no changes because they reference the connection ID.

Common Pitfalls

  • Pasted whitespace - Trailing newlines from a copy paste can make the verification call fail with a misleading 401. Retype or trim the value if you hit one.
  • Insufficient scopes - A read only key passes verification but fails on the first write. Check the connector's scope requirements before issuing the key.
  • Sandbox vs production base URL - Many connectors expose a separate base URL field. A sandbox URL paired with a production key (or vice versa) returns confusing errors.
  • Silent expiry - Some services age keys out after a fixed period. API key connections do not auto-refresh; you need to rotate before the key dies.

Related Articles

Learn More

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.