Restricted Keys
When you register with Invoicetronic, you receive a pair of primary keys (test and live) with full access to all API resources. Restricted keys let you create additional keys, ideal for managing multiple integrations or delegating access securely.
Creation and management
Restricted keys are created and managed from the Dashboard, in the Keys section. For each key you can configure:
- Description — a label to identify the key's purpose
- Status — enable or disable the key at any time
- Companies — restrict access to specific companies, or leave empty to allow access to all
- Permissions — choose a permission preset (see below)
Each restricted key automatically generates a test and live key pair, just like the primary key.
Permission presets
Each restricted key has a permission preset that determines which operations it can perform:
| Preset | Description |
|---|---|
| Full access | Read and write on all endpoints. Equivalent to the primary key (except for restricted key management itself) |
| Read only | Read-only operations (GET) on all endpoints. Ideal for monitoring or reporting integrations |
| Send | Read permissions on all endpoints, plus the ability to send invoices. Ideal for integrations that need to issue documents but not manage other resources |
Company restrictions
If your primary key manages multiple companies, you can create restricted keys that only have access to some of them. This is useful when:
- You have different clients and want to give each one a key that only accesses their own documents
- You want to isolate environments between departments or different integrations
- You need to delegate access to external collaborators, limiting it to the relevant companies
If you don't select any company, the key will have access to all companies on your account.
Use cases
- Least-privilege integration: create a read-only key for a reporting system that only needs to query invoices and logs
- External collaborator: create a temporary key restricted to specific companies for a consultant or developer
- Dedicated microservice: assign each service in your architecture a key with only the necessary permissions
- Development and testing: create test keys with reduced permissions for your development environments
- ISV with Desk: assign each client a restricted key limited to their company only, and let them use Desk directly with that key. Each client will have exclusive access to their own documents, with full autonomy and security
Security
Restricted keys follow the principle of least privilege: always assign only the permissions that are strictly necessary. You can disable or delete a restricted key at any time from the Dashboard, with immediate effect.
Best practice
Avoid sharing your primary key. Instead, create dedicated restricted keys for each integration or collaborator, so you can revoke access individually without impacting other integrations.