Setting Up API Keys
API keys are created per-project and carry granular permissions that control what the key can access.
Creating an API Key
- Open your project in Renovatr
- Navigate to Settings (gear icon in the project tab bar)
- Scroll to the API Keys section
- Click Generate API Key
- Enter a descriptive name (e.g., "CI Integration", "Claude MCP")
- Select permissions using the preset buttons or individual checkboxes:
- View Only — read access to all resources
- Editor — read + create + update access
- Full Access — all permissions including delete
- Client View — limited read access (no financials)
- Click Create
One-Time Key Reveal
After creation, the full API key is displayed once. Copy it immediately and store it securely — you won't be able to see it again.
The key format looks like:
rnvtr_a1b2c3d4...
Only the key prefix (e.g., rnvtr_a1b2) is stored in Renovatr for identification.
Managing Keys
- View active keys — see name, prefix, creation date, and last used date
- Revoke a key — permanently deactivates the key (cannot be undone)
- Revoked keys remain visible in the list but are greyed out
Permission Scoping
Each API key has 20 granular permission flags covering:
- Projects, deliverables, snags, incidents, invoices
- Clients, subcontractors
- Financials, audit logs
See Permissions for the full list.
Security Best Practices
- Create separate keys for each integration
- Use the minimum permissions needed
- Rotate keys periodically by creating a new key and revoking the old one
- Never commit API keys to source control
- Store keys in environment variables or a secrets manager