> ## Documentation Index
> Fetch the complete documentation index at: https://support.affinity.co/llms.txt
> Use this file to discover all available pages before exploring further.

# How to Audit API Keys in Your Instance

> How to Audit API Keys in Your Instance

<Note>
  **How-to** — task-oriented recipe.
</Note>

**Last Updated:** November 21, 2025

**Object Tags:** API Keys, Security Audit, Compliance, Admin, Manage Apps

## Overview

Regularly audit all API keys in your Affinity instance to ensure security compliance, identify unused integrations, and maintain visibility into external data access. This guide helps admins review all keys, identify risks, and take appropriate action.

## Prerequisites

**Permissions Required:**

* "Manage All API Keys" permission
* OR Enterprise Admin role
* OR Admin role (non-Enterprise orgs)

**Before You Start:**

* Understanding of your org's approved integrations
* Security policies for API key lifecycle
* List of current team members and their integration responsibilities

## Step 1: Navigate to Manage Apps

1. Click **Settings** in the left navigation
2. Click **Manage Apps**
3. The Manage Apps page opens

## Step 2: Review API Usage Metrics

**Check overall API health:**

1. Review **Monthly API Limit** at top of page
2. Check **Current Usage** percentage
3. Identify if approaching limit (>80% = concerning)
4. Note **Reset Date** (Date is based off UTC-8 (Pacific Standard Time) and UTC-7 (Pacific Daylight Time)

**Red flags:**

* Usage >90% of limit = investigate which keys are high-volume
* Unexpected spike in usage = potential unauthorized access
* Usage when you have few known integrations = unknown keys active

## Step 3: Review All API Keys Table

**Scan the keys table:**

1. Table shows all keys in your instance:

* Personal API keys from users
  * Affinity Help keys (Professional Services)
  * Revoked/historical keys

### **Recommended sorting strategies:**

**Sort by "Last Used" (Oldest first):**

* Identifies stale keys that haven't been used recently
* Keys unused for 90+ days are candidates for revocation

**Sort by "Owner":**

* Groups keys by user
* Identifies users with multiple keys
* Shows keys from deactivated users

**Sort by "Created Date" (Newest first):**

* Shows recently created keys requiring verification
* Helps identify unauthorized key creation

**Sort by "Status":**

* Filter to "Active" only to see current integrations
* Filter to "Revoked" to review audit history

## Step 4: Investigate Each Key

**For each API key, verify:**

* **Click on key** to open detail panel

**Review Name and Description**:

* Is the purpose clear?
  * Is it a known, approved integration?
  * Is there contact information?

**Check Owner**:

* Is this person still with the company?
  * Are they the right owner for this integration?
  * Should ownership transfer to someone else?

**Check Last Used**:

* Recent activity (\< 30 days) = actively used
  * 30-90 days = verify if still needed
  * 90+ days = strong candidate for revocation

**Verify against inventory**:

* Do you have documentation for this integration?
  * Is it in your approved integrations list?
  * Does the team know what it does?

## Step 5: Identify Keys Requiring Action

**Create categories:**

**High Risk (Immediate Action Required):**

* Keys from deactivated users (auto-revoked, but verify)
* Keys with no name/description (undocumented)
* Affinity Help keys from old engagements (no longer needed)
* Keys not used in 180+ days
* Keys owned by unknown users

**Medium Risk (Investigate):**

* Keys not used in 90-180 days
* Keys with vague descriptions
* Multiple keys from same user
* Keys created recently without your knowledge

**Low Risk (Monitor):**

* Well-documented, actively used keys
* Keys from known, approved integrations
* Keys used in last 30 days

## Step 6: Take Action on Findings

**For high-risk keys:**

1. **Contact key owner** (if active user):

* "I see you have an API key called \[Name]. Is this still in use?"
  * "Can you provide more context about what \[Integration] does?"
  * "This key hasn't been used in 6 months - can we revoke it?"

**Revoke if confirmed unnecessary**:

* Click key > Click "Revoke" > Confirm
  * Document reason in your audit notes
  * Monitor for any issues after revocation

**Update documentation if keeping**:

* Add description to undocumented keys
  * Clarify purpose based on owner feedback
  * Add contact information
  * **For medium-risk keys:**

1. **Request clarification** from owners
2. **Set follow-up reminder** for 30 days
3. **Add descriptions** based on feedback
4. **Create inventory** of approved integrations
5. **For Affinity Help keys:**
6. **Verify engagement status** with Professional Services
7. **Revoke if engagement ended**
8. **Keep if ongoing** but add description with engagement details

### Step 7: Document Audit Results

**Create audit report:**

1.

**Total keys**: Active vs. Revoked 2.

**Keys by category**:

* Personal keys: X
  * Affinity Help keys: X
  * Revoked keys: X

1.

**Actions taken**:

* Keys revoked: X
  * Keys documented: X
  * Keys requiring follow-up: X

1.

**Findings**:

* Security risks identified
  * Undocumented integrations discovered
  * Recommendations for future **Share with stakeholders:**
* Security/compliance team
* IT leadership
* Integration owners

### Step 8: Schedule Next Audit

**Recommended frequency:**

* **Quarterly**: Standard security practice
* **Monthly**: If high integration usage or strict compliance requirements
* **After employee departures**: Verify deactivated users' keys were revoked
* **Before audits**: Prepare for security/compliance reviews **Set calendar reminder** for next audit date

***

## Expected Outcome

* Complete visibility into all API keys in your instance
* All keys have clear names and descriptions
* Unused or risky keys identified and revoked
* Documented inventory of approved integrations
* Compliance with security best practices
* Reduced risk of unauthorized data access
* Clear audit trail for security reviews

***

## Tips & Best Practices

**Audit Strategy:**

* **Don't revoke without verification** - contact owners first
* **Start with oldest "Last Used" keys** - easiest wins
* **Prioritize undocumented keys** - biggest security risk
* **Check after employee departures** - verify auto-revocation worked **Documentation:**
* **Require descriptions for all new keys** - make it a team standard
* **Template for descriptions**: "Purpose | Owner | Contact | Systems"
* **Update descriptions annually** - keep information current
* **Link to integration docs** in description when possible **Risk Assessment:**
* **Last Used > 180 days** = High priority revocation candidate
* **Last Used 90-180 days** = Verify with owner
* **Last Used 30-90 days** = Monitor
* **Last Used \< 30 days** = Active, review annually **Communication:**
* **Give 48 hours notice** before revoking others' keys
* **Explain the why**: "Security audit found unused key"
* **Offer support**: "Let me know if you need help creating new key"
* **Document responses**: Add findings to key descriptions **Compliance:**
* **Maintain audit logs**: Keep records of all audits conducted
* **Screenshot key tables**: Evidence for compliance reviews
* **Track revocations**: Document why each key was revoked
* **Report to leadership**: Share audit summary with security team **Special Considerations:**

**Affinity Help Keys:**

* Verify with Affinity Professional Services before revoking
* Usually safe to revoke if engagement ended >90 days ago
* Keep if ongoing retainer or support engagement **Multiple Keys per User (post-M4):**
* Users can have multiple keys for different integrations
* Audit each key individually
* Encourage descriptive naming to distinguish purposes

***

## Common Use Cases

**Quarterly Security Audit:** "Our security team requires quarterly API access reviews." → Export Manage Apps table, review all keys, revoke unused keys, document findings in security report.

**Pre-Compliance Audit:** "We have a SOC 2 audit next month and need to show API key management." → Ensure all keys have descriptions, revoke undocumented or stale keys, create audit trail documentation.

**Employee Departure:** "A developer who built integrations left the company." → Verify their keys were auto-revoked, identify which integrations broke, reassign to active team member, create new keys and update integrations.

**Unknown Integration Discovery:** "API usage is high but I don't know which integrations are responsible." → Review all keys, contact owners of undocumented keys, add descriptions, create integration inventory.

***
