← Back to guidesGUIDE · QUICKSTART

Set up API keys in Alga PSA

Quickstart6 minBeginner

This guide shows the real Alga PSA flow for creating a personal API key, storing it safely, and testing it against the REST API. It is the best starting point if you need credentials before making your first request.

Where API keys live in Alga PSA

For a normal integrator setup, create the key from your own user profile. In the current Alga PSA UI, the API key screen is available under Profile → API Keys, and the hosted app currently uses the route /msp/profile?tab=api-keys.

Admins can also see broader API-key management screens in security settings, but for external integrations, a personal key created under your own profile is usually the right place to start.

Step 1: open the API keys tab

Sign in to Alga PSA, open your profile settings, and select API Keys. The page lets you create a new key with a description and an optional expiration date.

Step 2: create a key with a clear description

Use a description that tells you exactly which integration owns the key, such as CRM sync, Billing export, or Developer portal test.

DescriptionstringOptional
A human-readable label so you can identify the key later.
Expiration datedatetimeOptional
Optional. Use it if the integration is temporary or needs a planned rotation date.

Step 3: copy the key immediately

Alga PSA returns the plaintext key value when the key is created. After that, you should assume you will not be able to view the full value again from the management screen. Copy it immediately into a password manager, secret manager, or environment variable store.

.env.local
ALGA_API_KEY="your-new-api-key"
ALGA_API_BASE_URL="https://algapsa.com"

Step 4: send it with X-API-Key

The public REST API uses the X-API-Key header. You do not need a tenant header for the normal third-party integrator flow documented here.

curl
curl -X GET "https://algapsa.com/api/v1/boards" \
  -H "X-API-Key: $ALGA_API_KEY"

Step 5: verify the key works

Start with a safe read endpoint like boards or tickets. If the request succeeds, your key is valid and the creating user has permission to access that resource.

GET/api/v1/boardsGood first test because it is simple and commonly needed later.
GET/api/v1/tickets?page=1&limit=10Useful for confirming auth plus pagination behavior.

How permissions work

API keys inherit the permissions of the user who created them. If the key can read tickets but cannot access billing data, that usually means the underlying user account is limited in the same way.

  • Create separate keys for separate integrations.
  • Avoid sharing one key across unrelated systems.
  • Use a low-privilege user when the integration does not need broad access.

Rotation and replacement

If you lose track of a key or need to rotate it, create a replacement first, update the downstream system, and then deactivate the old key. That avoids downtime during cutover.

In Alga PSA, deactivation is safer than waiting for an old key to disappear from memory somewhere unexpected.

Next steps

Once you have a working key, continue with Make your first API call or review the API keys reference page and authentication reference.