To access AngelTrack's APIs, your application must have an API key.
This article discusses AngelTrack's API key system, which is used to authorize third-party applications to exchange data with your AngelTrack server.
Uses of API Keys
The following AngelTrack APIs use API keys:
- CAD API Accepting Nemsis including Affiliate Server-to-Server Delegation
- Postprocess Workflow API
- Movi Integration
AngelTrack's various other integrations are outbound and so will have their own authentication systems as required by the third party.
API Key Creation and Configuration
To create or modify an API key, login to AngelTrack with Administrator privileges, go to Settings, and click on the API Configuration item.
Your existing API keys are shown. Click 
to add a new one.
Each API key has the following parameters:
Access key: This acts as the password, which the third-party app uses to authenticate itself.
Name: A freetext description that you choose to help you remember each API key's purpose. You can change the name at any time without impacting the API key's function.
Active: Untick this box to deactivate the API key. It will cease to function within four minutes of your deactivating it.
API privileges: Specify which AngelTrack APIs and integrations will accept the API key.
Proxy employee: Select an AngelTrack employee record as the proxy. All activities performed using the API key will be attributed to this employee. For example, if the API key is used to book a new dispatch, the dispatch will show that it was created by this employee. See below for details.
Security Implications
API keys are exempt from all of the following security measures:
- Fort Knox Security Mode
- IP whitelists
- Any restrictions on the proxy employee account:
- Password reset intervals
- 2FA requirement
- Security roles
- Active / inactive flag
API keys are still subject to the following security measures:
- IP address georestrictions
- Flood protection aka request rate throttles
- Incorrect-password rate alarms
- Data exfiltration alarms
Re-Key / API Key Rotation
At any time you can re-key an API key, by visiting the API Key Edit page and clicking the "Re-Key" link. This task is known as "key rotation".
After you save a re-keyed API key, the old one will continue to work for 4 hours, giving you time to input the new API key into the third-party application.
If you need longer than four hours to propagate a key rotation, then instead just create a brand new API key, and propagate that one, and when that's all done, deactivate the old API key.
If you need to immediately shut down some's access to an API, then don't perform a key rotation, instead remove its access flags, or deactivate it completely.
Deactivation and Reactivation
You can deactivate and reactivate your API keys as you see fit, in the usual way. Obviously, a deactivated key will be rejected if anyone attempts to use it to access AngelTrack.
Proxy Employee
Each API key specifies a proxy employee record, in whose name all API activities will be logged.
To prevent unintended disruption of your API activity, AngelTrack ignores the proxy employee record's security roles. The API key will always have whatever privileges are required by the various APIs to which you grant it access.
Likewise the proxy employee record can be marked 'inactive', if you do not wish to allow a human to use it for ordinary AngelTrack access. Inactive employee accounts can still act as proxy accounts for an API key. The only way to disable an API key's access is to rekey or deactivate the key itself.
A proxy employee account can also be used by human, if that is your practice. When used by a human, the proxy employee account must remain active, and will be subject to the password-reset interval and any 2FA requirements.