Skip to content

Restricted Keys

When you register with Invoicetronic, you receive a pair of primary keys (test and live) with full access to all API resources. Restricted keys let you create additional keys, ideal for managing multiple integrations or delegating access securely.

Creation and management

Restricted keys are created and managed from the Dashboard, in the Keys section. For each key you can configure:

  • Description — a label to identify the key's purpose
  • Status — enable or disable the key at any time
  • Companies — restrict access to specific companies, or leave empty to allow access to all
  • Permissions — choose a permission preset (see below)
  • CORS Origins — configure allowed origins for browser requests (see the CORS guide)

Each restricted key automatically generates a test and live key pair, just like the primary key.

Permission presets

Each restricted key has a permission preset that determines which operations it can perform:

Preset Description
Full access Read and write on all endpoints. Equivalent to the primary key (except for restricted key management itself)
Read only Read-only operations (GET) on all endpoints. Ideal for monitoring or reporting integrations
Send Read permissions on all endpoints, plus the ability to send invoices. Ideal for integrations that need to issue documents but not manage other resources

Company restrictions

If your primary key manages multiple companies, you can create restricted keys that only have access to some of them. This is useful when:

  • You have different clients and want to give each one a key that only accesses their own documents
  • You want to isolate environments between departments or different integrations
  • You need to delegate access to external collaborators, limiting it to the relevant companies

If you don't select any company, the key will have access to all companies on your account.

Use cases

  • Least-privilege integration: create a read-only key for a reporting system that only needs to query invoices and logs
  • External collaborator: create a temporary key restricted to specific companies for a consultant or developer
  • Dedicated microservice: assign each service in your architecture a key with only the necessary permissions
  • Development and testing: create test keys with reduced permissions for your development environments
  • Frontend/browser application: if you call the API from JavaScript in the browser, the key is inevitably visible in the client code. Use a restricted key with the minimum required permissions and configure the allowed CORS origins from the Dashboard. See the CORS guide for more details
  • ISV with Desk: assign each client a restricted key limited to their company only, and let them use Desk directly with that key. Each client will have exclusive access to their own documents, with full autonomy and security

Desk seats

A Desk seat grants access to Desk Cloud for a specific API key. Seats are independent subscriptions, each with its own billing cycle.

How it works

  1. In the Keys section of the Dashboard, click Enable Desk on any key (primary or restricted)
  2. Complete the checkout — the first seat includes a 15-day free trial
  3. The key is now linked to a Desk seat. Your client (or yourself) can register on Desk, enter the key, and start using it immediately

Managing seats

From the Keys page you can:

  • Enable Desk — purchase a new seat for a key
  • Move Desk — reassign an existing seat to a different key (same subscription, no new checkout)
  • Disable Desk — cancel the seat's subscription

Each seat is tied to a single key (1:1). A key can have at most one seat, and a seat is assigned to exactly one key at a time.

Trial

The first Desk seat you ever purchase gets a 15-day free trial. Subsequent seats are billed immediately. The trial eligibility is per-account and cannot be reset, even if the first seat is canceled during the trial period.

For ISVs

If you are an ISV serving multiple clients:

  1. Create a restricted key per client (with company restrictions for isolation)
  2. Purchase a Desk seat for each key
  3. Share the key with your client — they register on Desk and enter it in their profile

You control access centrally: disable or move seats at any time from the Dashboard. Your clients never deal with billing — you manage everything.

Security

Restricted keys follow the principle of least privilege: always assign only the permissions that are strictly necessary. You can disable or delete a restricted key at any time from the Dashboard, with immediate effect.

Best practice

Avoid sharing your primary key. Instead, create dedicated restricted keys for each integration or collaborator, so you can revoke access individually without impacting other integrations.