Create and Manage API Keys
You can generate and manage API keys in your BitGPT 402pay Dashboard > Developers > API Keys section.
Linked to Organizations
API keys are issued at the organization level, not tied to individual users. This means:- Any action performed using an API key is attributed to the owning organization.
- Multiple team members can collaborate using separate keys within the same organization.
- API keys persist independently of individual user accounts.
Unlimited Keys per Organization
Each organization can create any number of API keys, allowing for flexibility across environments, services, or teams. Common usage patterns include:- One key per environment (e.g.,
development,staging,production) - One key per integration (e.g., billing automation, analytics)
- Temporary keys for CI/CD or testing purposes
IP Restrictions
To enhance security, API keys can be restricted to specific IP addresses or subnets:- Supports IPv4, IPv6, and CIDR notation
- Requests from unauthorized IPs will be rejected with a
403 Forbiddenerror
192.168.1.102001:0db8::/32203.0.0.0/8
Scoped Permissions
Each API key can be limited to a specific set of scopes, defining what parts of the API it can access. You’ll be prompted to set these scopes when creating an API Key in the dashboard, if none are specified the API Key will have full permissions.| Scope | Description |
|---|---|
invoices.create | Create new invoices within your organization. |
invoices.read | Retrieve existing invoices or list all invoices. |
products.create | Create new products in your catalog. |
products.read | View product details or list all products. |
products.update | Update existing product information. |
products.delete | Delete products from your catalog. |
api_keys.create | Create new API keys for your organization. (Not available to developers) |
api_keys.update | Update metadata or scopes of existing API keys. (Not available to developers) |
api_keys.delete | Delete API keys. (Not available to developers) |
api_keys.read | View and list API keys associated with your organization. |
webhooks.create | Register new webhook endpoints. |
webhooks.read | View registered webhooks or inspect configurations. |
webhooks.update | Modify existing webhook endpoints. |
webhooks.delete | Remove webhook endpoints from your account. |
webhooks_queue.read | Read or inspect queued webhook delivery attempts. |
webhooks_queue.update | Retry or manage failed webhook deliveries. |
notifications.read | View in-app or system notifications. |
notifications.update | Mark notifications as read or update their status. |
notifications_settings.read | Access notification delivery preferences. |
notifications_settings.update | Modify how notifications are delivered. |
A request made with a key lacking the required scope will return
403 Forbidden.Best Practices
- Rotate keys regularly to minimize exposure
- Use least privilege: only assign required scopes
- Restrict by IP where possible
- Avoid sharing keys between environments or teams