API keys can now be granted specific, scoped permissions instead of blanket administrator access. This limits the blast radius if a key is compromised or misused — especially important as AI agents and automated scripts increasingly use API keys to make autonomous calls on your behalf.
New API keys — you select one or more permission sets at creation time. The key can only perform actions covered by those sets.
Legacy API keys — keys created before this change retain full administrator access and continue working without any action required. They are marked Legacy and cannot be edited.
Creating a new API key
Go to Settings → API Keys and click Create New API Key.
Key Name
Give the key a descriptive name that identifies its purpose — for example, Production Server or CI/CD Pipeline. You cannot create a key without a name.
Permissions
Select one or more permission sets from the list. Permission sets are grouped by product area (Trips, Riders, Drivers, Analytics, etc.) and cover specific actions like viewing, creating, editing, or deleting records.
Best practice: Grant the minimum permissions needed for the integration. You can always add more permission sets later by creating a new key. If you select more than 10 write-capable permission sets, Spare will show a warning — review your selection to confirm the broad access is intentional.
You must select at least one permission set before the Create Key button becomes active.
Copy your key
After clicking Create Key, copy the key immediately. For security reasons, Spare does not store the full key — once you leave this page, the key cannot be retrieved again.
Legacy API keys
API keys created before scoped permissions were introduced are marked Legacy in the API Keys list. They continue to work exactly as before — with full administrator access — and require no action from you.
Note: Legacy keys cannot be edited. If you want to scope down an integration that currently uses a legacy key, create a new API key with the appropriate permissions and replace the key in your integration.
Viewing API key permissions
To see which permission sets a key has, open the API key from Settings → API Keys. The detail page shows all assigned permission sets.
Administrators can also view API key group memberships under Settings → Authorization Groups. Each authorization group has a Users tab and an API Keys tab, so you can see exactly which keys belong to each group and what permissions they carry.
Frequently Asked Questions
Will my existing integrations break?
No. Legacy keys continue to work with full administrator access. No changes are required for existing integrations.
Can I edit the permissions on an existing new key?
Not directly — API keys are immutable once created. To change permissions, create a new key with the updated permission sets and replace the old key in your integration.
What happens if a key tries to do something it does not have permission for?
The API returns a 403 Forbidden error. The key is not suspended — it continues to work for actions within its permitted scope.
Can I give an API key full administrator access?
Yes — select all available permission sets when creating the key. Spare will show a warning when broad write access is selected so you can confirm the choice is intentional.