API Keys
API keys enable programmatic access to Levy Fleets data and functionality. Create keys for custom integrations, data exports, and third-party applications.
Navigation
Access API Keys from Dashboard > Settings > API Keys.
Overview
What API Keys Do
API keys allow:
- Programmatic data access
- Third-party integrations
- Custom reporting tools
- Automated workflows
- Mobile app development
Authentication Flow
1. Request includes API key header
2. Key is validated
3. Permissions are checked
4. Request is processed
5. Response is returned
Creating API Keys
Step-by-Step
- Navigate to Settings > API Keys
- Click Create API Key
- Configure the key:
- Name (for identification)
- Permissions
- Expiration (optional)
- Click Create
- Copy the key immediately
Security
The full API key is only shown once. Store it securely immediately after creation.
Key Configuration
| Field | Description |
|---|---|
| Name | Descriptive name for the key |
| Permissions | What the key can access |
| Expiration | When the key expires (optional) |
| Rate Limit | Requests per minute |
Naming Best Practices
Use descriptive names:
Production-Analytics-IntegrationStaging-Mobile-AppPartner-XYZ-AccessInternal-Reporting-Tool
Permissions
Permission Levels
| Level | Access |
|---|---|
| Read-Only | GET requests only |
| Read-Write | GET, POST, PUT, DELETE |
| Admin | Full access including settings |
Resource Permissions
Configure access per resource:
| Resource | Available Permissions |
|---|---|
| Rides | Read, Create, Update |
| Vehicles | Read, Create, Update, Delete |
| Customers | Read, Update |
| Pricing | Read, Update |
| Analytics | Read |
Example Permission Sets
Analytics Integration:
- Rides: Read
- Vehicles: Read
- Customers: Read
- Analytics: Read
Mobile App:
- Rides: Read, Create, Update
- Vehicles: Read
- Customers: Read, Update
Admin Tool:
- All resources: Full access
Using API Keys
HTTP Header
Include key in Authorization header:
Authorization: Bearer YOUR_API_KEY
Example Request
curl -X GET "https://api.levyfleets.com/v1/rides" \
-H "Authorization: Bearer sk_live_abc123..." \
-H "Content-Type: application/json"
Base URL
Production: https://api.levyfleets.com/v1
Sandbox: https://api-sandbox.levyfleets.com/v1
Key Types
Live Keys
For production use:
- Prefix:
sk_live_ - Access production data
- Affects real operations
- Use in production systems
Test Keys
For development/testing:
- Prefix:
sk_test_ - Access sandbox environment
- Safe for testing
- No real data affected
Development
Always use test keys during development. Switch to live keys only for production deployment.
Managing Keys
Viewing Keys
The API Keys page shows:
- Key name
- Partial key (last 8 chars)
- Permissions summary
- Last used date
- Status
Editing Keys
Modify existing keys:
- Click on the key
- Update name or permissions
- Save changes
Note
You cannot change the key value itself. Create a new key if needed.
Revoking Keys
To deactivate a key:
- Click on the key
- Click Revoke
- Confirm revocation
Revoked keys:
- Immediately stop working
- Cannot be reactivated
- Remain in list for audit
Deleting Keys
To permanently remove:
- Click on the key
- Click Delete
- Confirm deletion
Deleted keys:
- Removed from list
- Cannot be recovered
- Audit log retained
Rate Limiting
Default Limits
| Plan | Requests/Minute |
|---|---|
| Standard | 60 |
| Professional | 300 |
| Enterprise | 1000+ |
Rate Limit Headers
Response includes:
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 55
X-RateLimit-Reset: 1640000000
Handling Rate Limits
When limit exceeded:
- HTTP 429 response
- Retry-After header
- Implement exponential backoff
Security Best Practices
Key Storage
- Never commit keys to version control
- Use environment variables
- Store in secrets manager
- Rotate keys regularly
Key Rotation
Rotate keys periodically:
- Create new key
- Update your systems
- Test with new key
- Revoke old key
Monitoring
Track key usage:
- Monitor request volume
- Watch for unusual patterns
- Set up alerts
- Review access logs
Principle of Least Privilege
- Grant minimum needed permissions
- Use separate keys per integration
- Don't share keys between environments
- Revoke unused keys
API Key Scopes
Subaccount Scopes
Limit keys to specific subaccounts:
- All subaccounts
- Specific subaccounts only
- Single subaccount
IP Restrictions
Restrict key usage by IP:
- Click on the key
- Add allowed IPs
- Save changes
Only requests from listed IPs will work.
Troubleshooting
Authentication Failed
401 Unauthorized response:
- Verify key is correct
- Check key isn't revoked
- Confirm Authorization header format
- Check key hasn't expired
Permission Denied
403 Forbidden response:
- Review key permissions
- Check resource access
- Verify subaccount scope
- Confirm IP allowlist
Rate Limited
429 Too Many Requests:
- Check rate limit headers
- Implement backoff
- Request limit increase
- Optimize request patterns
Key Not Working
If key stops working:
- Check key status in dashboard
- Verify key hasn't been revoked
- Check for expiration
- Test with fresh key
API Documentation
Accessing Docs
Full API documentation available at:
https://docs.levyfleets.com/api- Swagger/OpenAPI spec
- Interactive API explorer
Available Endpoints
| Category | Endpoints |
|---|---|
| Rides | /rides, /rides/{id} |
| Vehicles | /vehicles, /vehicles/{id} |
| Customers | /customers, /customers/{id} |
| Analytics | /analytics/rides, /analytics/revenue |
| Zones | /zones, /zones/{id} |
SDKs
Official SDKs available:
- JavaScript/TypeScript
- Python
- Ruby
- PHP
Need Help?
For API key assistance, contact support@levyelectric.com.