Skip to main content

API Keys

API keys allow you to access Callem Studio data programmatically via the Public REST API. Use them to integrate call data and knowledge base content into your own systems.

Accessing API Keys

Navigate to Settings from the sidebar, then select the API Keys tab.

Creating an API Key

  1. Click Create API Key
  2. Enter a descriptive name (e.g. “Production CRM Integration”)
  3. Optionally configure:
    • Allowed IPs: restrict which IP addresses can use this key
    • Expiration: set an automatic expiry date
  4. Click Create Key
The full API key is displayed only once after creation. Copy it immediately and store it securely. You will not be able to see it again.

Key Format

API keys follow the format: ck_live_ followed by 60 random characters. 
ck_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6a7b8c9d0
Only the first 12 characters (prefix) are stored and displayed in the dashboard for identification purposes. The full key is hashed with SHA-256 and never stored in plain text.

IP Restrictions

You can restrict API key usage to specific IP addresses for additional security:
FormatExampleDescription
Single IP192.168.1.1Allow only this exact IP
CIDR range10.0.0.0/24Allow an entire subnet
Wildcard*Allow all IPs (same as no restriction)
Leave the field empty to allow access from any IP address.

Key Management

The API Keys list shows:
ColumnDescription
NameThe label you assigned
Key prefixFirst 12 characters for identification (ck_live_a1b2••••••••)
IP restrictionNumber of IP rules, or “All IPs”
Last usedWhen the key was last used to make an API call
ExpiresExpiration date, or “Never”

Revoking a Key

Click the menu icon next to a key and select Revoke Key. This is immediate — any application using this key will lose access instantly.
Revoking a key cannot be undone. You will need to create a new key and update all applications that used the old one.

Security Best Practices

Always restrict API keys to your server’s IP address in production. This prevents unauthorized access even if the key is leaked.
Create new keys and revoke old ones on a regular schedule (e.g. every 90 days).
Create different keys for development, staging, and production. This makes revocation safer — you can revoke a compromised dev key without affecting production.
Store API keys in environment variables or a secrets manager. Never hardcode them in source code.