Documentation Index
Fetch the complete documentation index at: https://support.affinity.co/llms.txt
Use this file to discover all available pages before exploring further.
How-to — task-oriented recipe.
Overview
Regularly audit all API keys in your Affinity instance to ensure security compliance, identify unused integrations, and maintain visibility into external data access. This guide helps admins review all keys, identify risks, and take appropriate action.Prerequisites
Permissions Required:- “Manage All API Keys” permission
- OR Enterprise Admin role
- OR Admin role (non-Enterprise orgs) Before You Start:
- Understanding of your org’s approved integrations
- Security policies for API key lifecycle
- List of current team members and their integration responsibilities
Steps
Step 1: Navigate to Manage Apps
- Click Settings in the left navigation
- Click Manage Apps
- The Manage Apps page opens
Step 2: Review API Usage Metrics
Check overall API health:- Review Monthly API Limit at top of page
- Check Current Usage percentage
- Identify if approaching limit (>80% = concerning)
- Note Reset Date for monthly counter Red flags:
- Usage >90% of limit = investigate which keys are high-volume
- Unexpected spike in usage = potential unauthorized access
- Usage when you have few known integrations = unknown keys active
Step 3: Review All API Keys Table
Scan the keys table:- Table shows all keys in your instance:
- Personal API keys from users
- Affinity Help keys (Professional Services)
- Revoked/historical keys
- Sort by different columns to identify patterns Recommended sorting strategies:
- Identifies stale keys that haven’t been used recently
- Keys unused for 90+ days are candidates for revocation Sort by “Owner”:
- Groups keys by user
- Identifies users with multiple keys (after M4)
- Shows keys from deactivated users Sort by “Created Date” (Newest first):
- Shows recently created keys requiring verification
- Helps identify unauthorized key creation Sort by “Status”:
- Filter to “Active” only to see current integrations
- Filter to “Revoked” to review audit history
Step 4: Investigate Each Key
For each API key, verify:- Click on key to open detail panel
- Is the purpose clear?
- Is it a known, approved integration?
- Is there contact information?
- Is this person still with the company?
- Are they the right owner for this integration?
- Should ownership transfer to someone else?
- Recent activity (< 30 days) = actively used
- 30-90 days = verify if still needed
- 90+ days = strong candidate for revocation
- Do you have documentation for this integration?
- Is it in your approved integrations list?
- Does the team know what it does?
Step 5: Identify Keys Requiring Action
Create categories: High Risk (Immediate Action Required):- Keys from deactivated users (auto-revoked, but verify)
- Keys with no name/description (undocumented)
- Affinity Help keys from old engagements (no longer needed)
- Keys not used in 180+ days
- Keys owned by unknown users Medium Risk (Investigate):
- Keys not used in 90-180 days
- Keys with vague descriptions
- Multiple keys from same user (pre-M4)
- Keys created recently without your knowledge Low Risk (Monitor):
- Well-documented, actively used keys
- Keys from known, approved integrations
- Keys used in last 30 days
Step 6: Take Action on Findings
For high-risk keys:- Contact key owner (if active user):
- “I see you have an API key called [Name]. Is this still in use?”
- “Can you provide more context about what [Integration] does?”
- “This key hasn’t been used in 6 months - can we revoke it?”
- Click key > Click “Revoke” > Confirm
- Document reason in your audit notes
- Monitor for any issues after revocation
- Add description to undocumented keys
- Clarify purpose based on owner feedback
- Add contact information For medium-risk keys:
- Request clarification from owners
- Set follow-up reminder for 30 days
- Add descriptions based on feedback
- Create inventory of approved integrations For Affinity Help keys:
- Verify engagement status with Professional Services
- Revoke if engagement ended
- Keep if ongoing but add description with engagement details
Step 7: Document Audit Results
Create audit report:- Personal keys: X
- Affinity Help keys: X
- Revoked keys: X
- Keys revoked: X
- Keys documented: X
- Keys requiring follow-up: X
-
Security risks identified
- Undocumented integrations discovered
- Recommendations for future Share with stakeholders:
- Security/compliance team
- IT leadership
- Integration owners
Step 8: Schedule Next Audit
Recommended frequency:- Quarterly: Standard security practice
- Monthly: If high integration usage or strict compliance requirements
- After employee departures: Verify deactivated users’ keys were revoked
- Before audits: Prepare for security/compliance reviews Set calendar reminder for next audit date
Expected Outcome
- Complete visibility into all API keys in your instance
- All keys have clear names and descriptions
- Unused or risky keys identified and revoked
- Documented inventory of approved integrations
- Compliance with security best practices
- Reduced risk of unauthorized data access
- Clear audit trail for security reviews
Tips & Best Practices
Audit Strategy:- Don’t revoke without verification - contact owners first
- Start with oldest “Last Used” keys - easiest wins
- Prioritize undocumented keys - biggest security risk
- Check after employee departures - verify auto-revocation worked Documentation:
- Require descriptions for all new keys - make it a team standard
- Template for descriptions: “Purpose | Owner | Contact | Systems”
- Update descriptions annually - keep information current
- Link to integration docs in description when possible Risk Assessment:
- Last Used > 180 days = High priority revocation candidate
- Last Used 90-180 days = Verify with owner
- Last Used 30-90 days = Monitor
- Last Used < 30 days = Active, review annually Communication:
- Give 48 hours notice before revoking others’ keys
- Explain the why: “Security audit found unused key”
- Offer support: “Let me know if you need help creating new key”
- Document responses: Add findings to key descriptions Compliance:
- Maintain audit logs: Keep records of all audits conducted
- Screenshot key tables: Evidence for compliance reviews
- Track revocations: Document why each key was revoked
- Report to leadership: Share audit summary with security team Special Considerations:
- Verify with Affinity Professional Services before revoking
- Usually safe to revoke if engagement ended >90 days ago
- Keep if ongoing retainer or support engagement Multiple Keys per User (post-M4):
- Users can have multiple keys for different integrations
- Audit each key individually
- Encourage descriptive naming to distinguish purposes