API Keys

Pour :Administrateur

View of the 'API keys' page

An API key is a secret identifier that lets an external tool (Make, n8n, Zapier, an in-house script, a CRM…) read the data of your Unisoft organization on your behalf. This page explains how to create, manage and revoke these keys safely.

Open the API Keys tab

1. 1

   Go to the Developers page

   Type the URL /app/developpeurs/tabs in the address bar, or open your bookmark.

2. 2

   'API Keys' tab

   The tab is selected by default when the page opens.

Understanding the table

The central table lists the existing API keys of your organization. For each, you see:

Column	Content
Name	The label you chose at creation (e.g., Make - Mailchimp sync)
Prefix	The first 12 characters of the key followed by … (for example ke_live_abcd…), displayed in clear so you can recognize it in the list. The full key is never shown again after creation.
Permissions	The scopes granted (tags) — what the key can read
Last use	Relative date of the last API call made with this key, or never
Status	Active (green), Revoked (red), or Inactive (gray)
Actions	Revoke and Delete buttons

★

Spot an abandoned key

If the Last use column shows never or several months ago, it is probably an orphan key. Revoke it to reduce your attack surface.

Create a new key

1. 1

   Click 'New key'

   The button is at the top right of the tab. A modal opens.

2. 2

   Give a descriptive name

   Enter a descriptive name like Make production, Zapier Mailchimp, or Accounting export script. You will find it later when you have several keys.

3. 3

   Choose the permissions

   Select the scopes (permissions) the key will be able to use. By default, all read-only permissions are pre-selected. See the table below for details.

4. 4

   Click 'Create the key'

   A new modal appears immediately with the raw key.

5. 5

   Copy the key right away

   Click "Copy the key" or use the copy icon. You will never see this key again once the modal is closed — paste it immediately into your tool or your password manager.

6. 6

   Confirm

   Click "I have copied the key" to close the modal.

⛔

Shown only once

For security reasons, the raw key (in the format ke_live_...) is only shown once, just after its creation. If you close the modal without copying it, you will have to create a new key and delete this one. Unisoft only stores the cryptographic fingerprint of the key, never the key in clear.

Available permissions

Each scope authorizes a specific type of access. Check only what your integration needs.

Scope	What it authorizes
contacts:read	Read the list and profiles of contacts
paiements:read	Read collected payments
abonnements:read	Read recurring payments (subscriptions)
forms:read	Read the form definitions
forms_submit:read	Read the submissions sent by your forms
webhooks:manage	Manage outgoing webhooks via API (create, edit, delete)

ℹ

Write permissions coming

Read-only permissions are currently available. Write permissions (creating contacts or payments via API) will be added in a future version.

Use the key in an external tool

Once the key is in hand, here is how it is used:

In a raw HTTP call

All requests to the Unisoft API must include the key in the Authorization HTTP header in Bearer format:

GET /integrations/v1/contacts HTTP/1.1
Host: api.unisoft.world
Authorization: Bearer ke_live_xxxxxxxxxxxxxxxxxxxxx

In Make / Integromat

1. Create an HTTP or Webhook connection.
2. Authentication type: Bearer Token (or Header depending on the module).
3. Value: your ke_live_... key.

In n8n

1. Add an HTTP Request node.
2. Authentication: Header Auth.
3. Name: Authorization, Value: Bearer ke_live_....

In Zapier

1. Choose the action Webhook by Zapier → Custom Request.
2. Headers: add Authorization: Bearer ke_live_....

For the complete list of endpoints (URL, parameters, response format), check the Swagger documentation via the "API Documentation" button at the top right of the Developers page.

Revoke a key

Revocation immediately disables the key. Any integration using it stops on the next request.

1. 1

   Locate the key in the table

   Identify the key by its name or its prefix.

2. 2

   Click 'Revoke'

   The button is in the Actions column. A confirmation request appears.

3. 3

   Confirm

   Confirm the revocation. The key's status changes to Revoked (red tag). It can never be reactivated.

⚠

When to revoke?

Revoke without hesitation in these cases: a developer leaves the organization, an external tool has been compromised, a key appears in an email or a Git repo by accident, you find a key you no longer recognize.

Delete a key

Deletion erases the key from the table. It is no longer listed, but the functional result is the same as a revocation: the key no longer works.

1. 1

   Click the Delete icon

   Red trash icon in the Actions column.

2. 2

   Confirm

   The key disappears from the table.

Prefer revocation over deletion if you want to keep the trace of a key for audit. Reserve deletion for cleanup of old keys without historical interest.

Practical case: configure Make to synchronize contacts with Mailchimp

1. 1

   Create a dedicated key

   Name: Make - Mailchimp sync. Permission: only contacts:read (nothing else).

2. 2

   Copy the key to the clipboard

   Save it in your password manager or paste it directly into Make in the next step.

3. 3

   Configure the Make scenario

   Module: HTTP → Make a request. URL: https://api.unisoft.world/integrations/v1/contacts. Method: GET. Header: Authorization: Bearer ke_live_....

4. 4

   Test the scenario

   Make should receive the contact list. If yes, plug in the rest (Mailchimp → Add/Update Subscriber).

5. 5

   Schedule the execution

   Configure the desired frequency (every hour, every day…). The scenario will run autonomously.

Security best practices

Rule	Why
One key per integration	If a key is compromised, you revoke it without breaking the other tools
Minimum permissions	Only check the strictly necessary scopes
Storage in a vault	Password manager (1Password, Bitwarden, KeePass…) or environment variables of your tool — never in clear in a file
Regular monitoring	Check the Last use column every quarter. An inactive key is a useless risk
Periodic rotation	For critical integrations, create a new key every 6-12 months and revoke the old one

Pitfalls to avoid

Pitfall	Consequence	Solution
Close the modal without copying the key	Key lost, integration impossible	Recreate a key and delete the previous one
Store the key in an email or a Slack	Possible compromise	Always use a password manager
Check all permissions out of habit	Maximum attack surface	Uncheck what the integration does not need
Reuse the same key for several tools	Hard to trace who calls what	One key = one tool = one descriptive name

Takeaways

• An API key lets an external tool read the Unisoft data of your organization.
• The raw key is shown only once at creation — copy it immediately.
• The "Revoke" button instantly stops any integration that uses the key.
• One key per use and minimum permissions are the two golden rules.

Go further

• Developers overview — the two integration building blocks
• Outgoing webhooks — receive real-time notifications