Keys
Today we support several different API Keys on the Texture Platform.
Some of which you can generate yourself and one which is generated and returned to you when you create a Connect link for an end user and they connect a device.
Feel free to create as many API Keys as you need for your use case.
We suggest creating a new key for every context in which you'll be using one so that, in the event that your system gets compromised (which we hope doesn't happen!) you can revoke that single key and not have an impact on any of your other systems. If you use the same key in many contexts and that one key is compromised, you may have more of your systems compromised and you'll have a much longer slog trying to cycle it.
Server keys#
You can create these yourself and these are keys that are kept secret and intended to be used only for communication from your backend services to Texture's APIs. These can be used to retrieve device information, to perform actions on devices, and to perform meta functions (like configuring the Texture platform in an automated way).
As their name implies they must be kept secret, so they are never to be used in any context that is user-facing or client-side. This includes on your website, from a mobile app, etc. Texture will do its best to monitor and notice use cases like this and notify you and revoke API keys that may have been used in this manner (as they could compromise the systems of your users).
Connect keys#
These keys are alright to be used publicly. Again, you can create these yourself.
They can be used in websites, mobile apps, and other front end applications. They are primarily used in connection with our Connect interface for the end user to connect their device(s) and thus you can use them to create a connect link.
They cannot be used to run any commands on any device, to retrieve any device data, or do pretty much anything else. They are only for creating Connect links. In this way they are safe to put into a web application, mobile application, etc. because they cannot be used to do anything destructive or to access any sensitive information.
Scoped keys#
A Scoped key is not an API key you can create through the traditional means in the dashboard. These are special keys that are created and returned when you create and share a Connect link with an end user and they connect their device.
When you authenticate by creating a link session, you will receive back to your redirect url as a query parameter, a scoped key for the user, the name of this query parameter is texture_scoped_key.
This scoped key is keyed only to allow access to that specific user's devices and so it is ideal for use in a client application. They allow device read operations and commands, but cannot create, update, or delete devices or access other workspace resources.
More on Scoped Keys
Management keys#
A management key (MANAGEMENT type) gives org-wide, programmatic access to manage your Texture configuration. In short: everything you can do in the Dashboard, automated. Where server, connect, and scoped keys operate on device data within a workspace, a management key operates across your organization on the configuration itself — provisioning workspaces, managing your team, and administering the API keys, destinations, collections, and integrations that other keys rely on.
Management keys unlock the Management API, which covers operations including:
- Workspaces — provision and configure workspaces.
- Team management — onboard and offboard members and manage roles.
- API keys — create, rotate, and revoke keys across the organization.
- Destinations — manage webhook and data destinations.
- Collections and OAuth applications.
- Audit logs — review configuration and access activity.
Creating a management key#
Create a management key in the Dashboard under Developer → API Keys by selecting the MANAGEMENT type, or programmatically:
POST /v1/api-keys { "type": "MANAGEMENT", "ownerId": "<user-id>" }A management key requires an ownerId, so it is always tied to a specific user. Its actions inherit that user's permissions and cannot escalate beyond their role — if the owner can't do something in the Dashboard, neither can a management key created for them.
Authentication and secrecy#
Management keys authenticate with the same Texture-Api-Key header as other keys, and they carry the management_ prefix. Like server keys, they must be kept secret and used only from your backend — never in user-facing or client-side code.
:::important Management keys are required for management endpoints
Calling a management endpoint with a non-management key type (SERVER, API, etc.) returns a 401 UNAUTHENTICATED response instructing you to create a management key. Use a MANAGEMENT key for these operations.
:::