# API Keys (Reference: https://docs.iqra.bot/platform/api-keys)

Iqra AI provides a full REST API, allowing you to manage your businesses, trigger calls, and retrieve conversation history programmatically. **API Keys** are the credentials used to authenticate these requests.

Permission Scopes [#permission-scopes]

To ensure security, Iqra AI allows granular control over what an API key can do. Access is defined by two dimensions: **Business Scope** (Where it can act) and **User Management** (What it can change).

1. Business Scope [#1-business-scope]

Determines which workspaces the key can access.

| Scope            | Description                                                     | Best For                                                    |
| :--------------- | :-------------------------------------------------------------- | :---------------------------------------------------------- |
| **Unrestricted** | Grants access to **all** businesses owned by your user account. | Global reporting scripts.                                   |
| **Restricted**   | Limits access to specific Business Workspaces only.             | Production apps, client-side integrations, or team members. |

2. User Management Scope [#2-user-management-scope]

Determines if the key can access sensitive account-level data (Billing, Whitelabeling, User Profile).

* **Allow User Management Requests:** (Default: `Disabled`)
  * **Enabled:** The key can access `/api/v1/user` endpoints.

<Callout type="warn" title="Security Best Practice">
  **Least Privilege Principle:** Always keep `User Management` **Disabled** unless you are specifically building a dashboard to manage billing or whitelabeling.

  For running agents or making calls, use a **Restricted Business Key** with **No User Management** access.
</Callout>

Managing API Keys [#managing-api-keys]

You can generate and revoke keys in the **API Keys Tab** of the User Dashboard.

<Steps>
  <Step>
    Create New Key [#create-new-key]

    Click the **"Add API Key"** button.
  </Step>

  <Step>
    Configure Permissions [#configure-permissions]

    1. **Name:** Give it a descriptive name (e.g., "Zapier Integration - Dental Clinic").
    2. **Business Scope:** Choose "Unrestricted" or select specific Businesses.
    3. **User Management:** Toggle **User Management Access** only if necessary.
  </Step>

  <Step>
    Copy Key [#copy-key]

    **Important:** The key is only shown *once* upon creation. Copy it immediately and store it securely (e.g., in your `.env` file). If you lose it, you will have to generate a new one.
  </Step>
</Steps>

Using the API [#using-the-api]

All API requests must be authenticated via the HTTP Header.

Endpoint & Reference [#endpoint--reference]

The base URL for the API is:

```bash
https://app.iqra.bot/api/v1
```

<Callout type="tip" title="API Reference">
  Want to see all available endpoints? Visit the interactive **[Developer API Reference](/api-reference)** to test requests directly in your browser.
</Callout>

Authentication Header [#authentication-header]

Pass your key in the `Authorization` header using the `Token` prefix.

```bash title="Example: Get User Profile"
curl -X GET https://app.iqra.bot/api/v1/user \
  -H "Authorization: Token iqra_sk_12345abcdef" \
  -H "Content-Type: application/json"
```

<Callout type="error" title="Keep it Secret">
  Never expose your API Key in client-side code (browsers, mobile apps). Always make API requests from your backend server or use our [Middleware](/developers/sdks/middleware).
</Callout>