Manage Access

Manage who can access your organization, what they can do, and how external applications authenticate. All access management is in the Administration area.

Users

Path: Administration → Security → Users

The Users page lists all users in your organization. Each row shows:

User's name and email
Role
Status (Active or Suspended)
Sign-in method (password, SSO, etc.)

Inviting a User

Click Add User
Fill in the fields:
- First Name and Last Name (optional)
- Email Address (required)
- Sign-in Method — how the user will authenticate (password or SSO provider)
- Initial Role — the role to assign (you can change this later)
Click Create

An invitation email is sent automatically to the new user.

Managing Roles

Click the actions menu on any user row, then select Manage Roles to assign or remove roles.

Disabling a User

Click the actions menu → Disable User to prevent a user from logging in without deleting their account. Click Enable User to restore access.

Removing a User

Click the actions menu → Delete User. A confirmation dialog appears. Deletion is permanent.

API Keys

Path: Administration → Security → API Keys

API keys allow external applications and scripts to call Apptor Flow APIs without a user session. Each key is assigned one or more roles that control its permissions.

The page shows stats cards (Total, Active, Suspended, Revoked) and a table of all keys:

Column	Description
Name	Descriptive name you chose
Key Prefix	First part of the key (e.g., `apk_...`)
Status	Active, Suspended, or Revoked
Roles	Permissions assigned to this key
Rate Limit	Requests per minute / per hour
Created	Creation date
Last Used	When the key was last used to authenticate

Creating an API Key

Click New API Key
Enter a Key Name (e.g., "Production Integrations", "CI/CD Pipeline")
Select one or more Roles to assign (at least one required)
Click Create

The full key value is shown only once in a modal — copy it immediately. It will never be shown again.

Key format: apk_{id}_{secret}

Use the key in API requests via the X-API-Key header:

X-API-Key: apk_your_key_here

Or as a Bearer token in the Authorization header:

Authorization: Bearer apk_your_key_here

Revoking a Key

Click the actions menu → Revoke Key. A confirmation dialog warns that applications using the key will immediately lose access. Revocation is permanent — the key cannot be re-activated.

Rate Limits

Each key inherits the organization's default rate limit. Click Edit Rate Limits to set per-key limits (which cannot exceed the organization's ceiling).

Secrets

Path: Administration → Security → Secrets

Secrets store sensitive values (API keys, passwords, tokens) securely so they can be referenced in connection configurations without being exposed in plain text.

The Secrets table shows:

Key — the secret name (uppercase, e.g., STRIPE_API_KEY)
Description — optional description
Environments — which environments have a value configured (Dev, Staging, Prod, etc.)
Created — creation date

Creating a Secret

Click New Secret
Enter a Secret Key — uppercase letters, numbers, and underscores only (e.g., OPENAI_API_KEY)
Enter an optional Description
Enable one or more environments and enter the secret value for each
Click Create

Secret values are encrypted at rest. They are not visible after creation.

Referencing a Secret

Use the reference syntax @@SECRET:YOUR_KEY@@ anywhere a credential value is expected in a Connection configuration.

For example, when configuring a REST API connection's API key field, enter:

@@SECRET:STRIPE_API_KEY@@

At runtime, the engine substitutes the actual secret value for the current environment.

To copy the reference syntax, click the Copy Reference button (document icon) on any secret in the table.

Editing a Secret

Click Edit (pencil icon) on a secret to:

Update the description
Add values to additional environments
Update values for existing environments
Remove the secret from specific environments

The secret key name cannot be changed after creation.

Deleting a Secret

Click Delete (trash icon). A confirmation dialog warns that any workflows or connections using the secret will fail. Deletion removes the secret from all environments.

Permissions Summary

Role	Capabilities
Super Admin	Full access to all organizations, system integrations, user management
Org Admin	Full access within their organization — users, API keys, secrets, integrations
Regular User	Can create flows, execute workflows, manage their own connections

Users​

Inviting a User​

Managing Roles​

Disabling a User​

Removing a User​

API Keys​

Creating an API Key​

Revoking a Key​

Rate Limits​

Secrets​

Creating a Secret​

Referencing a Secret​

Editing a Secret​

Deleting a Secret​

Permissions Summary​