API Tokens

All API Methods require you to provide an active API Token.

Token Generation / Deactivation

Each site can have up to five active tokens. If a token is no longer in use or if it has been compromised, you can deactivate the token.

For each token, you may optionally add a "note" which is a short description to remind your team how a token is being used.

Tokens are currently a 41 character string, but the length for new tokens could be shorter or longer at any time.

Token generation and deactivation are managed via the Control Panel of your KPA Flex website. To access the API Management Pages, your account must be under a role with the "Manage API" permission enabled.

Manage Tokens

Token Security

Keep in mind that each token gives read/write access to your account so it is critical that they are not shared publicly. It should be treated like an admin username/password would be treated.

Do not include your token in client-side code. If you wish to access the KPA Flex data via a web/mobile client, then you should make requests to your own server which should verify the method/action. Then the server should make the request to the KPA Flex API and forward the response to the client.

Rate Limit

The KPA Flex API rate limits requests to ~80 requests per minute per customer. All tokens share the same pool of requests. If a request rate exceeds this limit then for ~60 seconds an error will be returned in the response and the ok field will be false for all requests.

"error": "rate_limit_exceeded",
"ok": false

If you wish to limit API calls to certain IP addresses, please contact help@kpaehs.com and include the IP addresses you wish to whitelist.

Egregious request rates or extended limit violations may be grounds for deactivation of the token or even of API access for the entire site.