Multiple Tenant API Keys

Complexity:    

Audience: Upper Management, Developers, Administrator, Data

Introduction

LoanPro's Loan Management System (LMS) offers an API so you can integrate our software with yours. Like most APIs, ours requires authentication in the form of an API key. Unlike most APIs, ours also allows users to create multiple API keys for use by multiple personnel. Instead of providing a single API key for your tenant, our software allows you to create and assign API keys to the Agent Users saved to your account.

In this article, we'll explain how to set up multiple API keys and assign them to your users. We'll also cover some example scenarios of why this feature may be a benefit to your team. Then, we'll answer some common questions.

In-Depth Information

As we mentioned above, our API requires authentication in the form of an API key. If you send a request without a valid key, the system will swiftly reject it and send you a 401 response. Don't let it hurt your feelings—it's not personal. It's simply for security and server bandwidth protection. But creating keys for API use is easy. These keys are associated with your Agent Users; meaning, you'll need to create Agent Users to create API keys. You likely already have Agent Users created in your account, but you may want to consider who to associate with your keys. We'll discuss that in more detail below.

First, let's discuss how you can create and manage API keys.

How to Create Multiple API Keys

If you haven't already, you'll need to get your LMS API configuration set up. We suggest taking a look at the articles in our API Basics category to help you get started. If you're already an API user, you can start creating multiple keys, and you'll likely already be familiar with where in the software to go.

To view your account's API settings, navigate to Settings > Company > API > Overview. Here, you can view and edit your account API information and create new keys.

You'll notice this page also displays the URL and Tenant ID you will use for API requests. Below that information, you'll see which keys have been created and the following information for each:

Column Name

Description

API Token

This is the authentication token that can be used for API requests.

Name

This is the name of the Agent User who has been associated with the API key.

Role

This is the role of the Agent User who has been associated with the API key.

This role does not determine access to certain API requests. It is simply here to display the access that the Agent User has been granted in the UI.

Status

This shows whether the API key is active or inactive.

Click 'New API Key' to generate a new key.

Clicking 'New API Key' will display a window on the screen. This window will ask you to select an Agent to associate the key with. The Agent User you select here will be displayed as the user who sent the API request when the associated key is used.

The list of available Agents when creating a new API key will be limited to the Agent Users you have saved to your account.

Once you've selected the Agent to associate with the key, click 'Create API Key' to finish. The new key (and its associated user) will now be displayed in your list of API keys.

Key Management

Once you've created a few API keys, you'll want to determine how to manage them. Your key management practices will be up to you, but you can use this page to do a few things.

Each key you create can be set to an 'Inactive' status at any time. This could useful if you'd like to temporarily revoke API access and possibly re-instate that access with the same token. To set a key as inactive, click the green slider button.

You can also rotate your API keys. Instead of deleting and creating a new API key, it's much easier to simply click the rotate icon located on the right side of the page. Next to it, you'll see the trash icon; click that to delete an API key.

API keys do not automatically rotate. You will need to determine when to rotate your API keys and manually do so.

You'll notice in the example above that there are two API keys associated with a user named 'Tom Jorgensen'. If preferred, multiple API keys can be assigned to a single user. However, we don't typically recommend creating API keys like this. The user associated with the key used to send a request will be logged. So if you prefer to keep good track of which Agent User is sending which requests, assigning multiple keys to a single user will make it difficult to determine if your requests are being sent by multiple users.

Domains

Lastly, you'll notice that the bottom of the API Overview page includes a 'Domain' section. You'll want to pay special attention to this section if you're anticipating API requests from another domain. In other words, if another web application is going to be requesting LoanPro's API, you'll need to add its domain to this list. If a request is received from a domain not listed here, it will be automatically rejected.

To add an additional domain, simply type the URL into the text box. You'll use commas here to separate each listed domain.

The domain name of the server sending the requests to the LoanPro API is required for security reasons.

Edge Cases

How you set up your tenant's API configuration is up to you. But there are some specific use cases for why you may want to use multiple API keys.

If you're a lender who has partnered with another business, you may also be handing them your API credentials for integration purposes. If you're both sharing one key, it'll be near impossible to determine who is sending which requests. Setting up multiple keys will help make things much more clear. If this is a case that applies to your lending operation, you'll want to create a Agent User specifically for your partner. When you create the Agent User, make sure to choose a name that represents them in a way that will be clear for you when auditing who's sending requests.

Customer Questions

Is there a limit to how many API keys I can have active at a time? Nope, there is no limit. You can create as many as you'd like, but we wouldn't recommend creating them without good reason: More keys equals more risk. And if you'd like to rotate keys frequently, rotating a lot of keys can get tedious.

Does it matter which Agent Users I associate API keys with? Ultimately, that's up to you. However, if you'd like our two cents, we think it's a very good idea to make mindful decisions about which users are associated to keys. The user associated with the key used to send a request will be logged. So if you prefer to keep good track of which Agent User is sending which requests, associating the keys to the right user is important.

How many API keys can be associated to one user? As many as you'd like. It may not be a great idea to create a bunch of keys for a single user, but you can do so if you'd prefer.

Can I restrict my users from using specific parts of the API? Not yet, but that is a feature that is coming.

What’s Next

This is as complex as our API access topic gets, so there is no further material to read. However, if you'd like to brush up on some other API help materials, we suggest taking a look at our LMS API category.

If you're a developer and would like to view our API documentation, our dedicated documentation site is where you'll find information on every request you can send.


How did we do?


Powered by HelpDocs (opens in a new tab)