API Keys

May 24, 2026

Learn how to create, manage, and revoke API keys, and understand the limits per plan.

What are API Keys?

An API key in Imara is a set of credentials — a Client ID and a Client Secret — that allows an external application or script to authenticate with the Imara API on behalf of your organization. Think of it as a special password created specifically for automation, not for humans logging in.

How to create an API key

  1. Go to Settings → API Keys in the customer panel.
  2. Click Create API Key.
  3. Give the key a descriptive name — for example, "CI/CD Pipeline" or "Internal Security Dashboard".
  4. Select the scopes (permissions) this key needs. Only grant what is required for the task.
  5. Click Create. The Client ID and Client Secret will be shown one time only — copy them immediately to a secure location.

Important: The Client Secret is not stored in Imara and cannot be retrieved after this step. If you lose it, you will need to revoke the key and create a new one.

Plan limits

The number of active API keys you can hold at the same time depends on your subscription plan:

  • Free — API access is not available
  • Starter — API access is available
  • Professional — up to 5 active API keys
  • Enterprise — up to 20 active API keys

How Imara counts API keys

Only active (non-revoked) keys count toward your plan limit. When you revoke a key it is immediately deactivated and no longer counts, freeing up a slot for a new one.

Need more keys?

If you have reached your plan limit and need additional keys, you have two options:

  • Upgrade your plan — move from Professional to Enterprise to raise the limit to 20.
  • Contact support — reach out to [email protected] to discuss custom limits for your use case.

Revoking an API key

  1. Go to Settings → API Keys.
  2. Find the key you want to remove and click Revoke.
  3. Confirm the action. The key is immediately deactivated — any system using it will receive authentication errors going forward.

Revoke keys whenever they are no longer needed, when a team member who managed them leaves, or if you suspect a key may have been compromised.

Security tips

  • Treat your Client Secret like a password — never share it over chat or email
  • Store secrets in a secrets manager (e.g., AWS Secrets Manager, 1Password) — never in plain text files or version control
  • Create one key per use case so you can revoke individual keys without disrupting other integrations
  • Grant only the minimum scopes each key actually needs
API Keys | Imara Documentation