API credentials let your systems interact with Wallet-as-a-Service (Palisade) programmatically. Every credential authenticates with OAuth 2.0 client credentials (this is the only supported flow) and is scoped with a permission set that defines exactly what it can do. As an owner or administrator, you create, scope, and manage credentials to control what each integration can access.
Each API credential consists of a client ID and client secret. Your application exchanges these for a time-limited Bearer token (valid for 1 hour) that authenticates API requests.
Permission sets scope credentials and define exactly what the credential can do. Each permission has four components:
| Component | Description |
|---|---|
| Type | The resource category (for example, balances, key, vault) |
| Action | The operation (create, delete, read, update) |
| Scope | How broadly the permission applies (org, vault, key) |
| Resource | A specific vault or wallet (optional — leave blank for all resources in the scope) |
- Go to Settings > API credentials.
- Select Create credentials.
- Select a permission set type — this pre-populates a set of default permissions:
| Permission set type | What it grants |
|---|---|
| Wallets | Manage wallets and vaults |
| Transactions | Manage transactions |
| Controls | Manage policies and addresses |
| Monitoring | Webhooks and auditing |
- Enter a name (5–50 characters). Choose a descriptive name that identifies the integration (for example, "Production - Transaction Service").
- Enter an optional description (5–50 characters).
- Configure IP addresses:
- All IP addresses (
0.0.0.0/0) — suitable for sandbox testing. - Limited IP addresses — enter up to 6 IPv4 addresses or CIDR ranges. Use this in production.
- All IP addresses (
- Review the default permissions. Select Add another permission to add more, or Remove to delete one.
- Select Generate credentials.
- Copy the client ID and client secret.
Palisade displays the client secret only once. Store it in a secrets manager or secure vault. If you lose it, you must delete the credential and create a new one.
Apply the principle of least privilege to every credential:
- Use the narrowest scope — if a credential only needs access to one vault, set the scope to
vaultand specify that vault as the resource. Avoidorgscope unless the credential genuinely needs organization-wide access. - Limit actions — grant only the actions the integration needs. A monitoring service needs
readonly, notcreateordelete. - One credential per integration — create separate credentials for each service or application. This limits the blast radius if someone compromises a credential.
A transaction monitoring service needs to read transactions across all vaults but must not create or modify anything. Create a credential with the Monitoring permission set type, then remove any create, update, or delete permissions. Keep only read actions.
IP whitelisting restricts which network addresses can use a credential.
- Sandbox — use All IP addresses for convenience during development.
- Production — always use Limited IP addresses with the specific IPs or CIDRs of your application servers.
You can configure up to 6 IP entries per credential. Each entry can be a single IPv4 address or a CIDR range.
Disabling a credential immediately prevents it from authenticating. Existing tokens issued by the credential continue to work until they expire (up to 1 hour).
Use disabling when:
- You suspect credential compromise
- A team member who managed the integration leaves
- You need to temporarily pause an integration for maintenance
- Go to Settings > API credentials.
- Select the credential.
- Select Disable.
To re-enable, open the credential and select Enable.
Deleting permanently removes the credential. Any integration using it stops working immediately after existing tokens expire.
- Go to Settings > API credentials.
- Select the credential.
- Select Delete.
- Confirm the deletion.
- Rotate credentials regularly — delete old credentials and create new ones on a defined schedule (for example, quarterly).
- Monitor credential usage — use audit logging to track which credentials are making API calls and when.
- Require approval for new credentials — set up an approval group for API credentials to prevent unauthorized creation. See Configure approval flows.
- Use IP whitelisting in production — never use "All IP addresses" in production environments.
- Separate by environment — use different credentials for sandbox and production. Never share credentials across environments.
- Document credential ownership — record which team or service owns each credential and who is responsible for rotating it.
- API credentials best practices — Step-by-step reference with code examples
- What are credentials in Palisade — Conceptual overview
- Manage API credentials — Reference documentation
- Getting started with the API — End-to-end API walkthrough
- Configure approval flows — Require approval for credential creation