TL;DR: Settings → API Keys. Each key has a name and scope. Generate one per integration (your CRM, your sequencer, your AI agent). Rotate annually or on personnel changes.
Creating a key
Settings → API Keys → + New key. Configure:
- Name — what's this key for? ("HubSpot sync", "n8n workflow X", "Claude Desktop MCP")
- Scope — what can this key do? Pick from:
- Read-only — queries only (find, get, list, insights)
- Write enrichment — read + enrich endpoints
- Write signals — read + push signals
- Full — all above + audiences, destinations, settings
- Expiration — never, 30 days, 90 days, 1 year. Default 1 year.
Click Generate. The key is shown ONCE — copy it now. After this dialog closes, the key is hashed and never shown in full again.
Storing the key
Treat API keys like passwords:
- DO — store in your secret manager (1Password, AWS Secrets Manager, env vars in a CI vault)
- DO NOT — commit to git, paste in Slack, email, or any shared doc
Unstuck Engine's CLI and MCP server read the key from environment (UNSTUCK_API_KEY) or from the credentials file at ~/.unstuck/credentials (created by unstuck auth login). Both methods avoid keeping the key in your code.
Listing keys
Settings → API Keys shows all keys with:
- Name
- Scope
- Created at + by (which team member)
- Last used at
- Expires at
- Status (Active / Expired / Revoked)
The full key value is never shown again — only a redacted form (unstuck_***_a1b2c3d4) that helps you identify the key without exposing it.
Rotating a key
Best practice: rotate annually or on personnel change.
Settings → API Keys → + New key— create the new key with the same scope- Update consumers (your CRM integration, your n8n workflow, etc.) to use the new key
- Confirm consumers are working with the new key
- Revoke the old key
The two keys can coexist during the transition — no need for a hard cutover.
Revoking a key
Settings → API Keys → row → Revoke. Immediate effect — any in-flight requests using that key get a 401 on the next call.
Revoke when:
- A team member leaves
- A key is suspected compromised
- An integration is decommissioned
Revocation is irreversible. To restore access, generate a new key.
Last used at
The Last used at column tells you which keys are actually being used. Stale keys (last used >90 days ago) are usually safe to revoke — confirm the integration is no longer needed, then revoke.
Rate limits per key
Rate limits apply at the workspace level, not the key level. Multiple keys share the workspace's quota. If you need to isolate quotas (e.g. one key for production traffic, one for dev), use separate workspaces.