API Keys and Service Accounts

Service accounts vs user accounts

A service account is a non-human identity for programmatic access. It has no email or password, authenticates via API key, does not count against your seat license, has a role controlling its access, and is attributed separately in the audit log. Never put a real user's key in a script.

Creating and using one

Under Settings then Service accounts then New service account, name it specifically, choose a least-privilege role, optionally restrict to facilities or categories, and generate an API key. Copy it now; you will not see it again. Pass it as a bearer token in the Authorization header. The API base URL is https://app.rivolq.com/api/v1, following standard REST conventions.

Rate limits and rotation

Limits are 600 requests/minute on Standard, 2,400 on Business, and configurable on Enterprise; 429 responses include Retry-After. Rotate quarterly for admin keys, annually for read-only, and immediately if leaked. The old key works for 7 days after rotation. Official SDKs exist for Python, Node.js, and Go.