API keys
API keys let outside tools — like the Claude integration, an automation in Zapier, or a one-off migration script — act for your firm without anyone having to sign in.
Each key belongs to your firm. Anyone who has the key can do the same things in Assure Pro that the person who created it could do at the time they created it.
Open Settings → API keys to manage them. You’ll see the existing keys in a list with a small Create form at the top.
Create a key
Type a clear name in the Name field at the top of the page — something you’ll recognize later like “MCP server,” “Zapier integration,” or “Migration script.” Then click Create.
A dialog opens showing the new key. This is the only time you’ll see the full key — copy it now and store it somewhere safe like your team’s password manager.
[Screenshot: New API key dialog showing the full key with a copy button]
Click the clipboard icon to copy. Click I’ve saved it to close the dialog. The key now appears in the list, but only the first few characters are shown.
If you lose the key later, Assure Pro can’t recover it. You’ll need to revoke it and create a new one.
Use a key
Paste the key into the tool you want to connect — for example, into the configuration screen of the Claude integration, your automation tool, or your script’s settings.
The remote Claude integration at api-pro.assureone.ai holds the key on Assure Pro’s side, so you don’t paste it into Claude directly.
Revoke a key
Find the key in the list and click Revoke on its row. A confirmation prompt appears:
Revoke “MCP server”? Any script using this key will stop working.
Click to confirm. The key stops working immediately — there’s no grace period — so make sure you have a replacement ready first if the script is doing important work.
Rotate a key
Rotate keys when someone leaves your firm, when you suspect a key has been shared outside the firm, or once a year as routine hygiene.
There’s no in-place rotate in this version. The flow is:
- Click + New and create a new key with the old name plus ” v2.”
- Update the tool or script to use the new key.
- Confirm the new key works.
- Revoke the old key.
Tips and gotchas
- Lost keys can’t be recovered. Always copy and save the key into a password manager the moment you create it.
- Don’t paste keys into chat or email. Use Firm credentials to share them across the team.
- The prefix in the list is not the full key. If a teammate asks for the key behind a particular integration, they need the full string from the password manager.
- One key per integration. Don’t reuse a key across two tools — when you rotate, you’ll have to update both at once.
What keys can’t do
- Sign in to the Assure Pro dashboard — keys are for tools, not for people.
- Reset another user’s password.
- See data from other firms.
- Skip permission checks — a key can only do what its creator was allowed to do.
Limits
| Limit | This version |
|---|---|
| Keys per firm | 10 |
| Keys per person (creator) | 5 |
| Requests per minute, per key | 1,000 |
| Largest request | 10 MB |
If a tool hits one of these limits, Assure Pro tells the tool to slow down or shrink the request.
How permissions work
A key inherits the permissions of the person who created it, captured at the moment of creation.
- Giving the creator more permissions later does not grant them to the key. Revoke and recreate the key to refresh it.
- Removing permissions from the creator later does not remove them from the key either.
- Deactivating the creator’s user account does not disable the key. Revoke it explicitly.
This decoupling is intentional — it keeps automations working through personnel changes — but it means you should treat key rotation as part of every offboarding.
Who can manage keys
| Action | Who can do it |
|---|---|
| Open the API keys page | Anyone with View firm settings |
| Create a key | Anyone with Edit firm settings |
| Revoke a key | Anyone with Edit firm settings |
Anyone with Edit firm settings can revoke any key in the firm, including ones they didn’t create. That’s intentional — admins need to be able to shut off a key whose creator has left.
Every action on a key — create, use, revoke — is recorded in your firm’s activity log so owners can trace what each integration did.
Next
- Firm credentials — share the key value safely across your team.
- Team and permissions — control who can manage settings.
- Integrations — connect Gmail, Outlook, and other tools that don’t need a key.