Generating API Keys
API keys are secure credentials that allow external applications to access your Launchpad data. This guide walks you through creating, managing, and securing your API keys.
What is an API key?
An API key is a unique code that:
Identifies your account — tells Launchpad who is making the request
Grants access — allows reading or writing data
Tracks usage — monitors API activity
Enables security — can be revoked if compromised
Think of it like a password specifically for applications.
Before you start
You'll need:
Owner or admin access in Launchpad
A plan that includes API access
An understanding of what you'll use the key for
API access may require a specific subscription level. Check your plan details or contact support.
Creating your first API key
Go to Settings from the main menu
Click API in the settings menu
If API access is disabled, click Enable API Access
Click Generate New Key
Configure your key:
- Name — describe what this key is for (e.g., "Website integration") - Permissions — select what the key can access - Expiry — optionally set an expiration date
Click Create Key
Copy your key immediately — it won't be shown again
Store your key securely. If you lose it, you'll need to generate a new one.
Understanding permissions
Each API key can have different permission levels:
Read permissions
Allow retrieving data without modifying it:
Permission | Access |
| View products and pricing |
| View booking details |
| View customer records |
| Check availability |
| View payment history |
Write permissions
Allow creating and modifying data:
Permission | Access |
| Modify product information |
| Create and update bookings |
| Create and update customers |
| Block and release dates |
Full access
Grants all available permissions. Use with caution.
Best practices for permissions
Follow the principle of least privilege:
Only grant what's needed — a key that only reads products shouldn't have booking access
Create separate keys — different integrations get different keys
Use read-only where possible — reduce risk of accidental changes
Review regularly — audit which keys have which permissions
Managing your API keys
Viewing existing keys
Go to Settings > API
See all your active keys
Each shows name, permissions, and last used date
Key details
For each key, you can see:
Name — your description
Created — when it was generated
Last used — most recent API call
Permissions — what it can access
Expires — expiration date if set
Renaming a key
Find the key in your list
Click the Edit button
Update the name
Click Save
You cannot change a key's permissions — generate a new key instead.
Revoking a key
If a key is compromised or no longer needed:
Find the key in your list
Click Revoke
Confirm the action
The key stops working immediately. Any integrations using it will fail.
Regenerating a key
To get a new key with the same name:
Revoke the existing key
Create a new key with the same settings
Update your integrations with the new key
Key expiration
Setting an expiry date
For temporary access:
When creating a key, enable Set Expiry
Choose an expiration date
The key automatically stops working after this date
When to use expiry
Developer access during a project
Temporary integrations
Testing purposes
Contractor access
Extending expiry
You cannot extend a key's expiry. Create a new key instead.
Security recommendations
Storing keys safely
Use environment variables — don't hardcode keys in your application
Never commit to git — exclude key files from version control
Use secrets management — consider tools like AWS Secrets Manager
Limit access — only those who need the key should have it
Monitoring usage
Check the "Last used" date regularly
Look for unusual activity patterns
Review which IP addresses are using your keys (if available)
Set up alerts for API errors
Rotating keys
Periodically replace your keys:
Generate a new key
Update your integrations
Test the new key works
Revoke the old key
Recommended rotation schedule: every 90 days for production keys.
What to do if compromised
If you suspect a key has been exposed:
Revoke immediately — stop the key from working
Generate a new key — create a replacement
Update integrations — switch to the new key
Audit activity — check for unauthorised actions
Review access — determine how the exposure occurred
Troubleshooting
Key not working
Verify you copied the complete key
Check the key hasn't been revoked
Confirm the key hasn't expired
Ensure you're using the correct authorisation format
Permission denied errors
Check the key has the required permissions
Verify you're accessing allowed endpoints
Review the error message for specifics
Generate a new key with appropriate permissions
Rate limiting
You've exceeded the request limit
Wait before making more requests
Implement caching in your application
Contact support for limit increases
Can't generate keys
Check your account has API access enabled
Verify your subscription includes API access
Ensure you have admin or owner permissions
Contact support if issues persist
Multiple keys strategy
For larger implementations:
Key Name | Purpose | Permissions |
Website Widget | Display availability |
|
Booking System | Process bookings |
|
Reporting | Generate reports |
|
Development | Testing only | All (expires in 30 days) |
Benefits:
Revoke one without affecting others
Track usage by purpose
Limit damage if one is compromised
Clear audit trail
Testing your key
Verify your key works:
Using curl
curl -H "Authorization: Bearer YOUR_API_KEY" \ https://api.launchpad.net.au/v1/products
Using Postman
Open Postman
Create new GET request to
https://api.launchpad.net.au/v1/productsAdd header:
Authorization: Bearer YOUR_API_KEYSend request
A successful response confirms your key is working.
API keys are powerful credentials — treat them like passwords and follow security best practices to protect your data.