API keys

API keys authenticate server-to-server integrations. This page covers requesting access, generating a key, the one-time raw-key reveal, and revoking a key — all organization-admin actions.

What API keys are for

An API key lets your own systems — a booking engine, a PMS, a checkout — call TaxLens directly, authenticating with the X-API-Key header instead of a logged-in session. A key is bound to one organization and stays bound to it even if the person who created it later switches organizations.

The API Keys screen before access is enabled, showing the Request API access prompt where the create-key form and keys table will appear. — The API Keys screen before access is enabled — the request-access prompt stands in for the create-key form and keys table.

Important

API keys are organization credentials, so the whole screen is gated to organization admins. Regular members see an “admin access required” notice instead.

Access is enabled during onboarding

API access is switched on per organization, manually, during onboarding — so we can confirm your integration pattern and expected volume first. Until it's enabled, the create-key form is replaced by a Request API access card with a contact link; the keys table is empty.

Detail

You can still explore everything else — the dashboard, the calculator, and this guide — and read the authentication docs — while access is pending.

Generating a key

1
Confirm the active organization
The key belongs to whichever organization is active in the switcher. Make sure it's the right one before you create the key.
2
Name the key
In Create New Key, give it a descriptive name (for example “Production Integration”) so you can tell keys apart later.
3
Create
Click Create Key. The raw key appears once — see the next section.

The raw key is shown once

On creation, the full secret key is revealed in a highlighted panel with a copy button and the warning: “Copy this key now. You won't be able to see it again.” TaxLens stores only a hash — after you dismiss the panel, the raw value is gone for good. The keys table afterward shows only a short prefix for identification.

# Authenticate with the X-API-Key header
curl https://api.taxlens.getdynamiq.ai/v1/tax/calculate \
  -H "X-API-Key: $TAXLENS_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{ "jurisdiction_code": "ES-CT-BCN", "stay_date": "2026-07-01",
        "nights": 3, "nightly_rate": 200, "currency": "EUR" }'

Heads up

Store the key in a secret manager or environment variable — never in client-side code or a repository. If a key leaks, revoke it (below) and issue a new one.

Revoking a key

Each active key in the table has a revoke action. Revoking is immediate and permanent: any integration using that key stops authenticating at once. There's no un-revoke — generate a fresh key if you need to rotate.

1
Find the key
Locate the key in the table by name or prefix. The table also shows when each key was created and last used, which helps spot stale keys.
2
Revoke and confirm
Click the revoke (trash) icon and confirm. The key's status flips to revoked and it stops working immediately.

For the request shape, error model, and idempotency rules your integration will use, see Authentication and Errors & idempotency.