Skip to main content

Creating and Managing API Keys in Aline

A step-by-step guide for admins on creating API keys, setting resource-level permissions, authenticating with a bearer token, and using Aline's GraphQL API.

A
Written by Anastashia Kamberidis

Aline's API lets you build integrations and automations on top of your workspace — pulling contract data into other tools, syncing reports, or extending Aline with custom workflows. This guide walks you through creating an API key, setting the right permissions, and using the key with our GraphQL API.

Quick link: https://app.aline.co/admin/api-keys

Overview

In this article you'll learn how to:

  • Find the API Keys settings in Aline

  • Create a new key with the right permissions

  • Copy and store your key safely

  • Authenticate API requests with a bearer token

  • Explore queries, mutations, and subscriptions in the GraphQL playground

⚠️ You must be an Admin in your Aline organization to create or manage API keys.

Step 1: Open the API Keys Settings

There are two ways to get to API Keys:

Option A — From the menu

  1. Click the menu icon in the bottom left of the screen (the circle with your initial)

  2. Select Settings

  3. In the Settings sidebar, click API Keys

Option B — Direct link

💡 If you don't have access to the the API Keys, you're not an Admin. Ask an admin in your org to either create the key for you or upgrade your role.

Step 2: Create a New API Key

  1. From the API Keys page, click New API Key + in the top right

  2. In the Key Name field, enter a descriptive name (e.g., Salesforce Integration, Reports Sync — Snowflake)

💡 The name is how the key is identified in your organization. Be specific so future admins know what each key is for.

Step 3: Set Permissions

Permissions control what the key can read and change. You can either pick a preset or customize permissions per resource.

Presets

  • Read Only — the key can read every resource but cannot create, update, or delete anything

  • Full Access — the key can read, create, update, and delete across all resources

  • None — clears all checkboxes so you can build permissions from scratch

Resource Permission Matrix

Below the presets, you'll see a matrix with one row per resource and four columns: Read, Create, Update, Delete. Tick exactly what the key needs.

Resources you can scope:

  • Account

  • Documents

  • Chats

  • Templates

  • Playbooks

  • Reports

  • Reminders

  • Workflows

💡 Use least privilege. Only grant the permissions the integration actually needs. A reporting tool typically only needs Read on Documents and Reports — it doesn't need Create, Update, or Delete on anything.

Step 4: Create and Copy the Key

  1. Click Create

  2. Aline will display the key one time — copy it immediately

  3. Store it in a secure secrets manager (1Password, AWS Secrets Manager, your CI vault, etc.)

⚠️ For security, the full key is only shown once at creation. If you lose it, you'll need to create a new key and update wherever the old one was being used.

Step 5: Authenticate Your Requests

Aline's API uses bearer token authentication. Pass your API key in the Authorization header of every request:

Authorization: Bearer YOUR_API_KEY

Example with curl:

bash

curl https://app.aline.co/api/graphql \   -H "Authorization: Bearer YOUR_API_KEY" \   -H "Content-Type: application/json" \   -d '{"query": "{ documents { id title } }"}'

💡 Treat the key like a password. Never commit it to source control, never paste it into chat or email, and rotate it if you suspect it's been exposed.

Step 6: Explore the GraphQL API

All API operations go through a single GraphQL endpoint:

Open the endpoint in your browser (with an authenticated session) to load the interactive GraphQL documentation and playground. You'll find the full schema for:

  • Queries — read operations (e.g., fetch documents, list workflows, pull a report)

  • Mutations — write operations (e.g., create a workflow, update a document, save a reminder)

  • Subscriptions — live updates via polling (e.g., subscribe to workflow status changes)

Your key's permissions decide which queries, mutations, and subscriptions actually return data. A Read Only key, for example, can run queries and subscriptions but mutations will return permission errors.

Managing Existing Keys

From the API Keys page you can:

  • See every key in your org, its permissions summary, and creation date

  • Search keys by name

  • Revoke a key when an integration is deprecated or rotated

💡 Rotate keys on a regular cadence and whenever someone with access to a key leaves the team.

💡 Best Practices

  • One key per integration. Don't reuse a single key across multiple systems — it makes rotation and auditing much harder.

  • Use descriptive names (e.g., Snowflake — Reports Sync instead of Test Key 1).

  • Least privilege. Start with Read Only and only add write permissions where the integration genuinely needs them.

  • Rotate periodically and immediately on any suspected exposure.

  • Store secrets in a vault, never in source control.

❓ Need Help?

If you have questions about API keys, the GraphQL schema, or building an integration, click the Support button in Aline to chat with our team. We're happy to help you scope permissions or troubleshoot requests.

Related Articles
Account Types in Aline (Admin, Full, Basic, Viewer)
Managing Legal Review, Redlining & Multi-Phase Approvals in Aline Workflows
Did this answer your question?