Skip to main content
ASIRI

Create an external API key

Create a least-privilege API key for systems that submit consent events, DSRs, vendors, incidents, Trust Center status reads, or evidence into ASIRI.

Back to help center Contact support
Help center
Integrations and evidence6 min readUpdated May 2026Developer Center > API keys and Settings > API keys
Access needed
OwnerAdminSecurity admin
ASIRI settings page for technical integrations including webhooks and API keys
Use Settings with a technical owner when creating API keys, webhooks, or other server-to-server integrations.
ASIRI evidence library with evidence records and review context
API-submitted evidence lands in the evidence system with source, review, freshness, and audit context instead of bypassing normal controls.

Choose one key per system

Create a separate API key for each external system. For example, use one key for your website consent banner, one key for your internal evidence exporter, and one key for vendor sync.

Separate keys make rotation and revocation safer. If one system is retired, you can revoke that key without breaking unrelated workflows.

Create the key

  1. 1Open Developer Center > API keys or Settings > API keys.
  2. 2Select Create API key.
  3. 3Name the key after the system that will use it, such as website-consent-production or github-evidence-exporter.
  4. 4Select only the scopes the system needs: evidence:write, consent:write, dsr:write, vendors:write, incidents:write, or trust-center:read.
  5. 5Copy the key once and store it in a server-side secret manager. Do not paste it into public frontend code.
  6. 6Record the owner, rotation date, and system purpose in your internal access register.

Production rules

API keys are bearer credentials. Treat them like production secrets. Never place them in browser JavaScript, mobile apps, screenshots, tickets, or public repositories.

Use idempotency keys on write requests so retries do not duplicate evidence, incidents, vendors, DSRs, or consent events.

Related

Keep going in this area.

Submit evidence through the external API

Send audit evidence from internal systems into ASIRI with source metadata, payload hashes, redaction, freshness, review state, and control mappings.

Read article

Review API-submitted evidence

Approve, reject, or map evidence submitted by API keys before it becomes part of your audit-facing posture.

Read article

Install ASIRI website widgets

Add consent, Trust Center badge, and DSR launcher widgets to a customer-facing website using tenant-safe public loaders.

Read article