API Keys Management
Learn how to create and manage API keys to integrate Grab A Table with your website and systems.
Overview
API keys allow you to:
- Integrate bookings into your website
- Build custom booking experiences
- Sync data with other systems
- Automate reservation management
- Create custom applications
Accessing API Management
Navigate to: Venue Management > All Venues > Manage API
Understanding API Keys
What is an API Key?
An API key is a unique identifier that:
- Authenticates your requests
- Associates actions with your account
- Controls access to your venue data
- Tracks API usage and limits
Example API Key:
gat_live_sk_1234567890abcdef
Key Types
Test Keys (Sandbox):
- Prefix:
gat_test_ - For development and testing
- No real reservations created
- Safe to experiment with
- Free unlimited usage
Live Keys (Production):
- Prefix:
gat_live_ - For production websites
- Creates real reservations
- Requires active licence
- Usage tracked and billed
Always develop and test with test keys before switching to live keys in production.
Creating API Keys
Generate New Key
- Go to Manage API
- Click "Create API Key" button
- Configure key settings:
- Name: Descriptive name (e.g., "Main Website")
- Type: Test or Live
- Permissions: Select allowed operations
- Restrictions: IP whitelist, domain restrictions (optional)
- Click "Generate Key"
- Copy key immediately (shown only once)
Copy and securely store the key immediately. For security reasons, the full key is only shown once during creation.
Key Permissions
Granular control over what each key can do:
Read Permissions:
- ✓ View venue information
- ✓ Check availability
- ✓ Read reservations
- ✓ View menu/features
Write Permissions:
- ✓ Create reservations
- ✓ Update reservations
- ✓ Cancel reservations
- ✓ Assign tables
Admin Permissions:
- □ Modify venue details
- □ Manage staff
- □ Access analytics
- □ Billing operations
Grant minimum necessary permissions following the principle of least privilege.
Managing Existing Keys
View All Keys
Key List Shows:
- Key name
- Type (test/live)
- Permissions
- Created date
- Last used
- Status (active/revoked)
- Usage statistics
Key Details
Click a key to view:
- Key prefix (last 4 characters visible)
- Usage metrics
- Request history
- Error logs
- IP addresses used
- Associated applications
Editing Keys
What You Can Edit:
- Key name/description
- Permissions
- Access restrictions
- Rate limits
- Notification settings
What You Cannot Edit:
- Key value (must rotate to change)
- Key type (test vs. live)
- Creation date
- Past usage history
Key Rotation
Why Rotate Keys?
Periodically rotate keys for security:
- Reduce impact of potential compromise
- Align with security best practices
- Comply with security policies
- Refresh after staff changes
- Update after project completion
Recommended Frequency:
- Every 90 days (minimum)
- Immediately if compromised
- When staff changes
- After project completion
Rotation Process
- Create new key with same permissions
- Update applications to use new key
- Test new key works correctly
- Monitor both keys during transition
- Revoke old key once confirmed
- Verify all systems migrated
Best Practice: Run old and new keys in parallel briefly before revoking the old key.
Zero-Downtime Rotation
Strategy:
- Deploy new key to all servers
- Configure applications to try both keys
- Monitor success rates
- Once 100% on new key, remove old key
- Revoke old key in dashboard
Revoking Keys
How to Revoke
Immediately disable a key:
- Find key in list
- Click "Revoke" button
- Confirm revocation
- Key becomes invalid immediately
When to Revoke
Immediate Revocation:
- Key compromised or exposed
- Security breach detected
- Staff member with access leaves
- Key accidentally committed to Git
- Project abandoned
Planned Revocation:
- After successful key rotation
- Testing complete (test keys)
- Project completion
- Service migration
- Contract termination
Revoking a key immediately stops all API requests using that key. Ensure applications are updated first.
After Revocation
Once revoked:
- All API requests fail immediately
- 401 Unauthorized errors returned
- Cannot be reactivated
- Historical data retained for records
- Must create new key if needed
Key Organization
Naming Best Practices
Good Names:
- ✓ "Production Website Widget"
- ✓ "Mobile App Backend - Live"
- ✓ "Development Testing - John"
- ✓ "Third-party Integration - Partner XYZ"
Poor Names:
- ✗ "Key 1"
- ✗ "test"
- ✗ "backup"
- ✗ "sk_12345"
Organizing Multiple Keys
By Environment:
- Development keys
- Staging keys
- Production keys
By Application:
- Website integration
- Mobile app
- Internal tools
- Partner integrations
By Team:
- Frontend team
- Backend team
- QA team
- External contractors
API Documentation Access
Quick Links
From API Management page:
- API Reference: Complete endpoint documentation
- Code Examples: Sample code in various languages
- Postman Collection: Import for testing
- Testing Console: Try API calls in browser
Testing Console
Test API calls without code:
- Select endpoint
- Choose authentication (test/live key)
- Fill parameters
- Click "Send Request"
- View formatted response
Features:
- Syntax highlighting
- Auto-completion
- Request history
- Copy as cURL
- Export as code
Next Steps
- Configure API security settings
- Set up webhooks for events
- Monitor API usage and limits
- Review API reference documentation
Need Help?
If you have questions about API key management, contact our support team at [email protected] or via WhatsApp.