API keys: scopes, rate limits, and usage

Updated 11 July 2026 4 min read

API keys: scopes, rate limits, and usage

Use API keys to let scripts, integrations, or external tools read and write your firm's data through Accupe's REST API, without sharing a login.

Where to find them

Go directly to the API Keys page under Settings, this page currently isn't linked from the main Settings menu or sidebar, so it's worth bookmarking once you find it. You need to be a firm admin, non-admins see "Admin access required, only firm administrators can manage API keys."

Creating a key

  1. Click "New API key".
  2. In the "Create API key" window, give it a Name. This is only for your own reference and is never shown to whatever consumes the key.
  3. Tick the scopes it needs (see the table below). By default, only "Read everything" is selected, narrow this to the smallest set your use case actually needs.
  4. Set a Rate limit in requests per minute. The default is 60, and you can set anywhere from 1 to 600.
  5. Click "Create key".

Scopes

ScopeWhat it allows
read:allRead access to every resource
read:clientsRead clients only
read:jobsRead jobs only
read:tasksRead tasks only
read:invoicesRead invoices only
read:signaturesRead signatures only
read:amlRead AML screenings
write:tasksCreate and update tasks
write:allFull write access to everything, use with caution

A key scoped write:all can do anything any other scope allows. A key scoped read:all can perform any read-only action, even ones a more specific read scope would also cover.

Saving your key

After creation, a "Your new API key" window shows the plaintext key exactly once, with a "Copy" button and the warning: "Save this token now. Accupe stores only a hash, you cannot retrieve it again. If lost, revoke and create a new one." Click "I've saved it" once you've copied it somewhere safe. If you close this window without copying the key, there's no way to see it again, you'd need to revoke it and create a new one instead.

The key itself starts with the prefix acc_live_ followed by random characters. Afterwards, the keys table only ever shows the first 12 characters followed by an ellipsis, never the full key.

Managing existing keys

The keys table shows, for each key: its name, its partial key, its scopes (the first three, plus a count of any extra), its rate limit, when it was last used along with a running request count, and its status:

StatusMeaning
ActiveWorking normally
RevokedYou've revoked it, it will no longer authenticate
ExpiredIts expiry date has passed

To revoke a key, click the trash icon on its row and confirm: "Revoke this API key? Any apps using this key will immediately stop working. Revocation cannot be undone." Revoking is a soft delete, the key stops working immediately but the record stays for your own audit history.

Using a key

Send it as a bearer token on every request, for example: Authorization: Bearer acc_live_xxxxxxxxxxxxxxxxxxxxxxxx. A working example: curl -H "Authorization: Bearer YOUR_KEY" https://www.accupe.com/api/v1/clients. List endpoints (such as clients, jobs, tasks, signatures, and AML screenings) return a data array plus a pagination object with limit, offset, and total; single-record endpoints like GET /api/v1/clients/{id} and the task-creation endpoint just return a data object.

Full endpoint documentation, including a quick-start walkthrough, lives at /dashboard/settings/api-keys/docs. It's linked as "View API docs" on the API Keys page itself, but only while your firm has zero keys yet, once you've created your first key that link disappears from the page (the table replaces the empty state it lived in), so bookmark the docs URL directly if you'll need to come back to it.

Endpoints

ResourceScope neededEndpoints
Clientsread:clientsGET /api/v1/clients (limit, offset, search); GET /api/v1/clients/{id}
Jobsread:jobsGET /api/v1/jobs (limit, offset, status, client_name); GET /api/v1/jobs/{id}
Tasksread:tasks, write:tasksGET /api/v1/tasks (limit, offset, status); POST /api/v1/tasks (title, client_name, priority, due_date)
Signaturesread:signaturesGET /api/v1/signatures (limit, offset, status)
AML Screeningsread:amlGET /api/v1/aml-screenings (limit, offset, risk_level)

Rate limits

Every response carries an X-RateLimit-Limit header and an X-RateLimit-Remaining header so you can see your remaining headroom. Once you exceed your key's per-minute limit, you'll get a 429 response with a Retry-After header, currently always set to 60 seconds since the limit resets on the next minute boundary.

Errors

StatusMeaning
401Missing or invalid API key
403Insufficient scope for this endpoint
404Resource not found, or not in your firm
429Rate limit exceeded, check Retry-After
500Server error, please retry
Tip: There's also a working endpoint for invoices (GET /api/v1/invoices), but it currently isn't listed on Accupe's in-app API docs page or the root /api/v1 discovery endpoint. It behaves the same way as the other read endpoints (scope: read:invoices) if you need it, this is a documentation gap, not a sign the endpoint is unsupported.