API Client Management
Enterprise tier. Create API keys for external integrations. Configure client name, permissions, allowed tenants. View API docs at /superadmin/api-docs.
API Client Management
API client management lets you create and manage API keys for external integrations. External systems can use these keys to access CrystalQore APIs for automation, reporting, custom applications, and third-party integrations. This is an Enterprise tier feature.
Overview
With API client management you can:
- Create API keys — Generate keys for external applications
- Configure permissions — Control what each client can access
- Restrict by tenant — Limit API access to specific tenants
- Manage keys — Rotate, revoke, or disable keys as needed
- View API documentation — At
/superadmin/api-docs
Creating an API Client
Navigate to Admin → API Clients — Open the API client management page.
Click Create API Client — Start the creation form.
Enter client name — A descriptive name (e.g., "CRM Integration", "Reporting Dashboard").
Configure permissions — Select which API scopes or endpoints the client can access.
Set allowed tenants — Restrict access to specific tenants, or allow all.
Save — Generate the API key. Copy and store it securely — it may not be shown again in full.
Required Configuration
| Field | Description |
|---|---|
| Client name | Identifier for the integration (for your reference) |
| Permissions | API scopes or endpoints the client can call |
| Allowed tenants | Tenant(s) the client can access; "all" or specific list |
API Key Format
API keys use a prefix-based identification:
- Keys are typically long, random strings
- A prefix (e.g., first few characters) identifies the client in logs and audit trails
- Store the full key securely; do not share or commit to version control
API keys are shown only at creation time. Store them in a secure vault (e.g., environment variables, secrets manager). If lost, create a new key and revoke the old one.
Permissions
Permissions determine what the API client can do:
- Read-only — Fetch data (users, contacts, call records, etc.)
- Write — Create or update resources
- Scoped by module — e.g., Contacts only, CDR only, SMS only
Configure the minimum permissions needed for each integration. Avoid over-granting.
Tenant Restrictions
You can restrict API clients to specific tenants:
- All tenants — Client can access data across all tenants (use sparingly)
- Specific tenants — Client can only access the listed tenants
Tenant restrictions help maintain multi-tenant isolation when integrating with external systems.
Managing Access
- Disable — Temporarily revoke access without deleting the client
- Revoke/Rotate — Invalidate the current key and generate a new one
- Delete — Remove the client and all associated keys
API Documentation
CrystalQore provides API documentation for developers:
- URL —
/superadmin/api-docs(Superadmin access required) - Content — Endpoints, parameters, authentication, examples
Use this to build integrations and verify how to use your API keys.
Best Practices
- One client per integration — Do not reuse keys across multiple systems
- Least privilege — Grant only the permissions needed
- Tenant scoping — Restrict to specific tenants when possible
- Rotate keys periodically — Replace keys on a schedule or when staff changes
- Monitor usage — Use audit logs to detect unusual API activity
Related Documentation
| Page | Description |
|---|---|
| Audit Logs | Track API client usage |
| User Management | User-based access vs. API access |