API Keys
Create, scope, expire, and revoke the keys that authenticate your REST API requests.
Overview
API keys are how external scripts and applications authenticate to the REST API. Each key is scoped to your account — it can read and write your own data and nothing else. Multi-account or multi-user keys are not a concept that exists in Remy.
Manage your keys from Settings → API Keys.
Creating a Key
- Open Settings → API Keys.
- Click Create API key.
- Give it a name that tells you what it's for (e.g., "Mac sync script", "Zapier integration"). Names are mandatory and shown in the list — don't leave the default.
- Choose an expiry: 30 days, 60 days, 90 days, 365 days, or a custom date.
- Click Create.
Remy displays the full key string once.
Save the key on creation — it's never shown again
After you close the create dialog, Remy can show you the key's name and the last 4 characters, but the full secret is hashed at rest and cannot be retrieved. If you lose it, the path forward is to revoke and create a new one.
Copy the key into your password manager, deployment secrets, or environment variables — wherever your script will read it from.
Using a Key
Pass the key as a Bearer token in the Authorization header on every request:
Authorization: Bearer rmy_<your-key>A working test request:
curl https://app.remy.com/api/v1/contacts?limit=1 \
-H "Authorization: Bearer rmy_<your-key>"You should get back a { data, total } response with one of your contacts (or an empty list if your account is empty).
Listing and Identifying Keys
Settings → API Keys shows every key you've created with:
- The name you gave it.
- A preview of the last 4 characters of the key (e.g.,
••••••••a3f9) — useful for matching to whichever script is using it. - The expiry date.
- The creation date.
- The last-used timestamp, if any.
If you spot a key with no recent use, it's a candidate for revocation.
Expiry
Every key has an expiry date set at creation. Once it passes, the key stops working — requests get a 401 with Invalid, expired, or revoked API key.
Expiry is intentional. The default options (30/60/90/365 days) cover most real use cases. Custom dates are available if you need to align expiry to a contract or rotation schedule.
There is no auto-renewal today. To keep a key working past its expiry, create a new one before the old one expires and update your script to use the new value.
Revocation
Revocation is immediate. From Settings → API Keys, click the menu next to a key and choose Revoke.
The next request that key makes will get a 401. There is no grace period — once revoked, the key is dead.
Revoke promptly when:
- A laptop or server with the key has been lost or stolen.
- A teammate who had the key has left.
- You think the key may have been logged or shared accidentally.
What Gets Logged
Every key's lifecycle is recorded in the Activity Log:
- API Key Created — a key was generated, including its name and expiry.
- API Key Revoked — a key was revoked.
Beyond lifecycle, the key's usage is also visible: every mutation made through it is logged with authMethod: "api_key", so you can audit a specific key's effects by searching the log for that auth method.
Scope and Limits
Today, every key has the same scope: full access to your account's data through the REST API. There are no read-only or per-resource keys yet.
| Today | Roadmap |
|---|---|
| Full-access keys, scoped to your account | Read-only keys |
| One-by-one creation | Bulk rotation |
| Manual expiry | Automatic rotation reminders |
If a tighter scope matters to you, the workaround is to keep keys short-lived and revoke aggressively — that's the same tradeoff per-resource scoping would solve.
Frequently Asked Questions
How many keys can I have?
There's no hard cap. The practical limit is the noise of having too many to track in Settings → API Keys — a handful named for each use case is the intended pattern.
Can someone else's key read my data?
No. Keys are bound to the account that created them. A friend's key can't read your contacts even with the right URL.
Can I rename or change the expiry of an existing key?
Not today. Names and expiry are set at creation. To change either, revoke the old key and create a replacement.
Why was my key revoked when I didn't do anything?
If a key gets used in a way that triggers our abuse detection (sustained spikes well above expected usage), it can be auto-revoked. Check the Activity Log for API Key Revoked and contact support if you didn't expect it.
What happens to in-flight requests when I revoke a key?
Requests in transit when revocation happens may complete normally. The next new request after revocation gets a 401. Treat revocation as "fully effective within seconds," not "instantaneous to the millisecond."