The Secret Key plays a critical role in Quixy integrations for both pushing data into Quixy and pulling data from Quixy. It is used as part of Quixy’s authentication mechanism to securely authorize API requests.
Quixy uses token-based authentication, where a Secret Key is used to generate a Bearer Token, which is then required to consume APIs.
¶ 1. What is a Secret Key?
A Secret Key is a secure piece of information used in secret-key (symmetric) encryption, where the same key is used to encrypt and decrypt messages. In Quixy, the Secret Key is used to authenticate API requests and ensure secure data exchange between Quixy and external systems.
¶ 2. Accessing the Secret Key
Note
Users must have integration access to generate or view the Secret Key.
To generate or manage your API key:
- Go to My Profile in Quixy
- Navigate to the Integrations tab
- The API key generated here carries the same privileges as the user account, so it must be stored securely and never shared publicly.
¶ 3. How Authentication works in Quixy
Quixy uses Bearer Token–based authentication.
¶ 3.1. Authentication Methods
You can authenticate API requests in either of the following ways:
- Recommended: Pass the API key as a Bearer Token in the HTTP
Authorizationheader - Alternative (lower security): Pass the API key using the
api_keyquery parameter
Important
- All API requests must be made over HTTPS
- Every API request must be authenticated
¶ 4. Bearer Token Expiry
Caution
The Bearer Token expires automatically every 10 minutes.
Once expired:
- A new Bearer Token must be generated using the Secret Key
- The expired token cannot be reused
- This expiry mechanism improves security by limiting token lifespan.
¶ 5. Role-Based Data Access
Note
Data access during API push or pull operations is governed by user roles and permissions.
- Non-admin users can only access data permitted by their role
- Admin-level access is required to view or retrieve full datasets
- APIs respect Quixy’s permission model at all times
¶ 6. Best Practice for Organization Admins
To ensure stable and secure integrations:
- Create a dedicated integration user account
- Assign a specific team to manage integrations
- Avoid using personal admin accounts for API integrations
This approach helps prevent:
- Account lockouts due to failed login attempts
- Unexpected integration failures
- Disruption to business-critical integrations
¶ 7. How the Secret Key is used
In Quixy, the Secret Key is used to generate a Bearer Token, which is then used to call APIs.
¶ 7.1. Supported API Types
- Webhook API – Push data into Quixy
- Report API – Pull data from Quixy
¶ 7.2. Workflow
- Generate a Bearer Token using the Secret Key
- Use the Bearer Token to call the required API
- Regenerate the token once it expires
¶ 8. Generating a Bearer Token (Using Postman)
Bearer Tokens can be generated using tools such as Postman, in coordination with Quixy’s authentication APIs.
The process typically involves:
- Configuring the authentication API in Postman
- Passing the Secret Key as required
- Executing the request to receive a Bearer Token
Refer to the provided demonstration (GIF) to understand the complete token generation flow in Postman.
