ArvexiDocumentation
arvexi.com

API authentication and keys

How API keys work

Every API request to Arvexi must include a valid API key. Keys are long-lived credentials designed for server-to-server communication. They are not tied to a specific user session and do not expire on a fixed schedule. Instead, your team controls the lifecycle through generation and rotation.

When you create a key, Arvexi generates a cryptographically random token and stores only a one-way hash (SHA-256) in the database. The raw key is displayed exactly once at creation time. If you lose it, you must generate a new one. Arvexi cannot recover the original value.

Generating a key

Navigate to Settings → API → Keys and click Generate new key. You will be prompted to:

  1. Name the key: Use a descriptive label that identifies the integration (e.g., netsuite-production or data-warehouse-sync).
  2. Select permissions: Choose between full access or read-only. Read-only keys can query data but cannot create, update, or delete records.
  3. Confirm generation: The raw key is displayed in a modal. Copy it immediately and store it in your secrets manager (AWS Secrets Manager, HashiCorp Vault, or your CI/CD environment variables).

Key format and prefix

All Arvexi API keys follow a consistent format that makes them easy to identify in logs and credential scanners:

arx_live_k1_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  • arx: Arvexi namespace prefix.
  • live: Environment indicator. Production keys use live; sandbox keys use test.
  • k1: Key version identifier, allowing Arvexi to evolve the format without breaking existing integrations.
  • Random segment: 32 characters of base62-encoded random bytes, giving 190 bits of entropy.

The prefixed format means leaked keys can be detected automatically by tools like GitHub secret scanning, GitGuardian, and TruffleHog.

Including the key in requests

Pass your API key in the Authorization header using the Bearer scheme:

curl -X GET https://app.arvexi.com/api/v1/leases \
  -H "Authorization: Bearer arx_live_k1_xxxxxxxx..." \
  -H "Content-Type: application/json"

Do not pass the key as a query parameter. Query parameters appear in server logs, browser history, and proxy caches, increasing the risk of accidental exposure. Arvexi rejects API keys sent as query parameters and returns a 401 Unauthorized response with an error message explaining the correct method.

Per-organization scoping

Each API key is scoped to the organization that created it. A key generated by Acme Corp can only access Acme Corp’s data. It cannot read or modify records belonging to another organization, even if the underlying user has access to multiple organizations.

If you manage multiple organizations (common for accounting firms), generate a separate key for each one. This ensures clean audit trails and lets you revoke access to a single client without affecting the others.

Key rotation

Arvexi supports zero-downtime key rotation. The recommended process:

  1. Generate a new key in Settings and store it in your secrets manager.
  2. Update your integration to use the new key. Both the old and new keys are valid simultaneously.
  3. Verify the new key works by checking recent API logs in Settings → API → Logs. Each request is tagged with the key name so you can confirm traffic has shifted.
  4. Revoke the old key once all traffic is on the new key. Revocation is immediate and irreversible.

We recommend rotating keys every 90 days as a security best practice. Arvexi sends a reminder notification to organization admins when a key has not been rotated for 90 days.

Available endpoints

A valid API key grants access to more than 450 REST endpoints across the Arvexi platform, including:

  • Leases: CRUD operations on lease records, amortization schedules, journal entries, and disclosure reports.
  • Reconciliation: Account balances, transaction matching, reconciliation status, and certification workflows.
  • Close management: Period tasks, checklists, certification sign-offs, and close status.
  • Documents: Upload, extraction results, and Arvexi Cortex confidence scores.
  • Administration: Users, roles, entity hierarchy, chart of accounts, and audit logs.

All endpoints follow REST conventions with JSON request and response bodies. Pagination uses cursor-based tokens. Rate limits are documented in the rate limiting and idempotency article.

Security considerations

API keys carry the same access level as the permissions you assign at creation. Treat them with the same care as database credentials:

  • Never commit keys to version control. Use environment variables or a secrets manager.
  • Prefer read-only keys for integrations that only pull data (e.g., BI dashboards, data warehouses).
  • Monitor the API log for unexpected IP addresses or request patterns. Arvexi logs the source IP, user agent, and endpoint for every authenticated request.
  • If you suspect a key has been compromised, revoke it immediately in Settings → API → Keys. Revocation takes effect within seconds.

Was this article helpful?