API Keys & External Integrations
Phase 8 — Integrations · OpenFrame Onboarding
Sometimes the integration you need isn't a pre-built connector — it's your own script, a custom dashboard, or another system that needs to talk to OpenFrame directly. That's what API keys are for: they let external code authenticate to OpenFrame's API. This guide covers generating a key, keeping it safe, and where to find the endpoints.
Before you start
- You need an Admin role.
- Know what the key is for (which script or system will use it) so you can name it clearly and set a sensible expiry.
Where it lives
Go to Settings → API Keys Management. You'll see the API Keys page — a table of your existing keys with Name, Status, Key ID, Usage, Created, and Expires, plus two buttons: API Documentation and Create API Key.
Create a key
- Click Create API Key.
- API Key Name (required) — name it for what uses it, e.g. Ticketing webhook or Nightly inventory export. Future-you needs to know which key to revoke if something leaks.
- Description (optional) — a line on its purpose.
- Expiration Date (optional) — set one for keys tied to a temporary integration or a vendor; leave blank for a long-lived internal key. Short-lived is safer.
- Click Create API Key.
Copy the key immediately. Like every good system, OpenFrame shows the full secret once, at creation. Copy it straight into your integration's secret store or password manager. If you lose it, you don't recover it — you delete the key and make a new one.
Using the API
Click API Documentation (top of the API Keys page) for the endpoints, request/response shapes, and authentication details. The API is how external systems do things like:
- Create tickets from outside OpenFrame — wire another monitoring tool, a form, or an email parser to open tickets via the external ticket-creation endpoint.
- Pull data on a schedule — export device inventory, ticket status, or monitoring results into your own reporting.
- Receive webhook payloads — have OpenFrame notify your systems when something happens, so you're not polling.
Authenticate each request with the API key you generated (per your IdP/API docs' scheme — typically a header). Treat the key like a password.
Managing keys
Back on the API Keys table you can see each key's Status and Usage and revoke one you no longer trust. Good hygiene:
- One key per integration, named clearly — so revoking one doesn't break everything else.
- Rotate keys periodically, and immediately if one may have leaked.
- Set expirations on anything temporary.
- Never commit a key to source control or paste it into a ticket/chat.
Quick checklist
- Opened Settings → API Keys Management
- Created a key with a clear name (and expiry if temporary)
- Copied the secret once into a secure store
- Checked API Documentation for the endpoints you need
- Used one key per integration and planned for rotation
What's next
That completes Phase 8 — Integrations — OpenFrame is now wired to your identity provider and open to your own systems via the API. Next is Phase 9 — Security & Access Control, locking down roles, AI guardrails, and audit logging before you go to production.
Based on OpenFrame v0.9.19. API capabilities and the exact endpoints evolve — always check the in-product API Documentation for the current contract.
