Help Center/API and Automation/Managing API Keys

Managing API Keys

API keys let external tools and agents interact with your BuildChart data programmatically. They are available on Pro and Business tiers and give you fine-grained control over what each integration can access.

How to Generate an API Key

  1. Go to Account > API Keys.
  2. Click "Generate New Key".
  3. Enter a descriptive name for the key (e.g., "Hermes Agent" or "Zapier").
  4. Choose a scope:
    • Read Only — Allows GET requests only. The key can read projects, tasks, members, and activity but cannot create, update, or delete anything.
    • Read-Write — Full CRUD access. The key can create tasks, update statuses, manage members, and more.
  5. Optionally scope the key to specific projects. If left blank, the key has access to all projects you own.
  6. Set an expiry period: 30, 60, 90, or 365 days, or select no expiry for long-running integrations.
  7. Click Generate.

Important: The full API key is shown only once immediately after generation. Copy it right away and store it securely — you cannot view the full key again. The key prefix (e.g., cg_live_xxxx...) remains visible in your key list for identification purposes.

📝 Note

API keys are shown only once when created. If you lose a key, revoke it and generate a new one. There is no way to recover or display the full key after the initial creation screen.

Rate Limits by Tier

Each tier has defined rate limits to ensure fair usage and platform stability:

  • Pro — 500 requests per minute, 50,000 requests per day.
  • Business — 2,000 requests per minute, 500,000 requests per day.

If you exceed these limits, the API returns a 429 Too Many Requests response. Back off and retry after the window resets.

Circuit Breaker

BuildChart includes an automatic circuit breaker for safety. If a key's usage spikes to 3x above its normal rate within a 5-minute window, the key is automatically suspended for 15 minutes. This protects your account from runaway scripts or misconfigured integrations. You will receive a notification when a key is suspended, and it will resume automatically after the cooldown period.

Revoking a Key

To revoke an API key, go to Account > API Keys and click Revoke next to the key you want to disable. The key is deactivated immediately — any requests using it will receive a 401 Unauthorized response. Revocation is permanent; you cannot re-enable a revoked key.

💡 Tip

Use read-only keys for monitoring and reporting integrations. Only use read-write keys for tools that need to create or update data. This limits the blast radius if a key is compromised.

Related Articles