API Keys and Client Secrets

開発者 API APIキー セキュリティ

For server-to-server integrations where your own server accesses Receipt Roller, using an API key is simpler than OAuth. This page explains how to issue and manage API keys.

Issuing an API key

  • Open "Developer" → "API Keys" from the business account management screen
  • From "Issue New," enter a descriptive name for the intended use (e.g. "Nightly batch" or "Internal dashboard")
  • Select the required scopes (read-only, read/write, etc.)
  • Click the issue button and the API key will be displayed

Handling API keys

  • The key is shown only once, immediately after issuance. Be sure to save it somewhere secure right away
  • We recommend storing it in a server environment variable or a secrets management service
  • Never embed it in client-side code (browsers or public apps)
  • Issuing a separate key for each use case limits the blast radius if one is ever leaked

Rotation and revocation

  • We recommend periodically issuing a new key and revoking the old one
  • When a person responsible leaves, immediately revoke the corresponding key
  • Access with a revoked key is denied immediately

Detailed developer information

For how to send the key in request headers, rate limits, and error behavior, see the developer help.

https://receiptroller.io/en/developer/help

Related articles

Published: 2026-04-15 Updated: 2026-07-02