Managing API keys and webhook secrets
API keys and webhook secrets prove that automation talking to Dailybot is authorized. Treat them like passwords: short-lived where possible, rotated on a schedule, and revoked the moment you suspect exposure.
Before you begin
- You need Organization admin or a role that can manage Developers, Integrations, or API settings.
- Notify anyone running CI or agent scripts before you rotate keys so they can update env vars the same day.
Steps
- Sign in to the Dailybot web app and open Organization or Settings.
- Open API keys, Developers, or Integrations and locate Create API key (or equivalent).
- Create a new key with a descriptive label (for example
prod-reporting-2026) and minimal scope if the product offers scoped tokens. - Copy the key once and store it in a secret manager or encrypted vault — not in chat, tickets, or public repos.
- For webhooks, open the webhook or Agent Inbox configuration and note the signing secret used to verify payloads; copy it to the consumer service’s environment.
- Rotate on a schedule: create a new key, update all callers (GitHub Actions, local
.env, agent hosts), verify traffic succeeds, then revoke the old key. - Revoke compromised keys immediately from the same screen; do not wait for the next maintenance window.
- Audit the list quarterly: remove keys with unknown owners or stale labels.
- If a webhook partner leaked a secret, generate a new signing secret (if supported), update the receiver, and replay-test with a sample event.
Best practices
- Prefer one key per integration so revocation blast radius stays small.
- Never commit keys to git; use
DAILYBOT_API_KEYor your CI secret store. - Log last used timestamps if the dashboard shows them; idle keys are good revocation candidates.
What to expect after
Rotation causes old tokens to return 401 errors until every client updates. After revocation, stolen keys no longer work. For delivery problems after changes, see Webhooks not firing and API auth errors.