Developer Portal
Overview
The Developer Portal is split across two surfaces:
/admin/developer— tenant administrators manage every key in the tenant, mint global service keys, mint personal keys on behalf of any user, and toggle whether non-admins may mint their own keys./profile→ API Keys tab — individual users mint and revoke their own user-scoped keys when the admin allows it.
The split exists so admins always retain full control regardless of the per-tenant self-service toggle.
Allow Users to Manage Their API Keys
The toggle on /admin/developer controls whether non-admin users may mint and revoke their own keys via /profile. When off, only administrators can manage keys.
The toggle has no effect on global keys — those are always admin-only by design.
Key Scopes (Global vs User-Bound)
API keys come in two flavours:
| Scope | Acts as | Use it for |
|---|---|---|
| Global | the tenant | CI pipelines, backup jobs, monitoring agents — anything that is not tied to a specific user |
| User-bound | a specific user | per-user automations, personal scripts, situations where you want the key to inherit (and track) a real person's permissions |
Why user-bound matters
A user-bound key validates the owner's permissions live on every request. If the owner is removed from a permission group, the key's effective scope shrinks within moments. If the owner is deactivated, the key is rejected immediately.
This is the recommended scope for any key that represents a real person's automation. It eliminates the "ghost permissions" failure mode where a former employee's key keeps working long after they have been off-boarded.
See API Key Scopes for the full lifecycle and permission intersection rules.
Creating an API Key (Admin)
- Navigate to /admin/developer.
- Click Create key.
- Fill in:
- Name — a descriptive label (e.g. "Backup job", "Zapier integration", "Florin laptop CLI")
- Scope — Global or User-bound (no default — you must choose explicitly)
- Owner — only when scope is User-bound; type-ahead search by name or email
- API scopes — toggle the chips for the resources this key may access
- Expires (optional) — auto-deactivate after a date
- Click Create key.
The full key value is shown once in the modal. Copy it immediately — it cannot be retrieved later. For security, only an encrypted fingerprint of the key is stored.
Creating an API Key (User Self-Service)
When the admin has enabled "Allow users to manage their API keys", any tenant user can mint a personal key from /profile → API Keys. User self-service always produces user-bound keys; the user cannot pick Global.
Key Format
usl_v1_<48 hex chars>
The prefix usl_v1_ is shown in the admin key list so a key can be visually identified without revealing its value. The full string is the only secret.
API Scopes
| Scope | Access |
|---|---|
assets:read | List and read assets |
assets:write | Create, update, and delete assets |
users:read | Read users |
users:write | Manage users |
processes:read | Read process definitions and instances |
processes:write | Start and advance process instances |
tickets:read | Read tickets (ITSM) |
tickets:write | Create and update tickets (ITSM) |
Assign only the scopes your integration actually needs (principle of least privilege).
Revoking a Key
Click Revoke next to any key in /admin/developer. The key is marked as revoked: it stays in the list with a "revoked" badge so the audit trail remains intact, but the key is rejected immediately on every subsequent request.
User-bound keys are also automatically revoked when their owner is deleted or deactivated.
Rate Limiting
Requests are rate-limited per key. The window is one hour and resets on the hour boundary. Plan-based defaults:
| Plan | Requests per hour |
|---|---|
| Free | 100 |
| Starter | 1,000 |
| Professional | 10,000 |
| Enterprise | configurable |
When the limit is exceeded, the API returns 429 Too Many Requests. Every response carries X-RateLimit-Limit, X-RateLimit-Remaining, and X-RateLimit-Reset headers — use them to back off proactively.
Usage Analytics
The Usage view shows total requests per key, error rate, average response time, daily call volume, and top endpoints — across the last 30 days.
API Base URL
All public API requests target:
https://api.uslimato.com/v1/
See API Authentication for the request header format and error codes.