Create and Manage API Keys
Create API keys for integrations and agents, choose safe access levels, monitor usage, and revoke keys.
What API keys do
API keys let integrations, dashboards, automations, and AI agents read from or write to your gym's Topo data through the REST API. API keys should be treated like passwords.
How permissions work
Each key has a role. The role sets which areas of Topo the key can access.
Each key has an access level. Read-only keys can fetch data; full keys can make changes allowed by the role.
A key can never perform an action the selected role does not allow.
For reporting agents, dashboards, and analysis tools, read-only is usually the safest starting point.
Create an API key
Go to Staff > Account > API Keys.
Choose New API key.
Enter a token name that makes the use case clear, such as Read-only dashboard or ChatGPT reporting key.
Add an optional description with the owner, integration, or reason for the key.
Choose a role.
Choose Read-only or Full access.
Set an expiration date if the key is temporary.
Create the key.
Copy the token immediately. Topo shows the full token only once.
Manage existing keys
Review each key's name, masked token, role, access level, status, last used time, created time, and expiration.
Revoke keys that are no longer needed, may have been exposed, or belong to a vendor you no longer use.
Create a new key instead of trying to reveal an old one. Existing full tokens cannot be shown again.
Use separate keys for separate integrations so you can revoke one without breaking everything.
Security checklist
Do not paste API keys into public websites, public help docs, screenshots, or shared documents.
Prefer secure credential storage in the integration or agent platform.
Use read-only access unless the integration truly needs to change data.
Set expirations for temporary projects.
Revoke and replace a key immediately if it may have been exposed.