API keys let your website, app, or backend talk to UMAP360 — sending events from the SDK, reading data for reporting, or performing administrative tasks. You create and manage them under Settings → API Keys, where you'll also find the active key shown during onboarding.
The three key types
UMAP360 keys come in three types, each scoped to what it's allowed to do. Pick the narrowest type that does the job.
| Type | What it can do | Typical use |
|---|---|---|
| Write | Send events into UMAP360 | The SDK and event ingestion — by far the most common |
| Read | Read your data | Server-side reporting and analytics queries |
| Admin | Administrative actions, like managing connectors or user data | Server-side management tasks; owners and admins only |
Use a Write key for the SDK
The tracker that powers your website and apps only ever sends data, so it needs a Write key — not a Read or Admin key. Your active write key starts with uk_live_ and appears in Settings and during onboarding. See Install the SDK to wire it up, or the developer docs for code-level detail.
What you'll see for each key
Every key in the list shows enough to tell at a glance what it is and whether it's still in use:
- Prefix — the first few characters of the key (the rest stays masked, so the list is safe to look at)
- Type — Read, Write, or Admin
- Requests — how many requests have been made with it
- Last used — when it was last used for a call
- Status — Active or Revoked
This makes it easy to spot a key that's gone quiet (a candidate to revoke) or one that's busier than you expected.
Creating a key
- Go to Settings → API Keys.
- Click Create API Key.
- Give it a clear name (for example, "Production Web SDK") so you can recognise it later.
- Choose the type — Read, Write, or Admin.
- Click Create.
- Copy the key right away.
The full key is shown only once
For security, UMAP360 reveals the complete key a single time, immediately after creation. Copy it and store it somewhere safe before you dismiss the dialog — once it's gone, it cannot be shown again. If you lose it, create a new key.
Creating keys (and revoking them) is limited to organization owners and admins. Members and viewers won't see these controls.
Revoking a key
If a key is no longer needed — or you suspect it's been exposed — revoke it:
- Find the key in the list.
- Click Revoke and confirm.
Revoking takes effect immediately. Any SDK or API calls still using that key will start failing right away, so update your integration with a replacement key before you revoke the old one. The revoked key stays in the list (marked Revoked) so its history remains on record for you.
A few good habits
- Use separate keys for development and production so you can revoke one without touching the other.
- Name keys descriptively so a stale key is easy to identify months later.
- Revoke keys you no longer use to keep your surface small.
- Never put an Admin key in client-side code — Admin keys belong only on a trusted server.
Next steps
- Install the SDK — drop your Write key into the tracker
- Verify events — confirm data is flowing in
- Developer documentation — using keys in code, the full SDK and API reference
- Team and roles — who can create and revoke keys
Last updated 2026-06-11