How can we help you?

How do I manage Harvest API key permissions?

Below are instructions on how to create a new Harvest API key that gives access only to selected endpoints, and instructions on how to update permissions on existing Harvest API keys. Managing permissions allows you to permit or deny access to each Harvest endpoint individually, so you can have more control over what data a developer or third-party partner can access from your account.

Any Harvest API keys created before January 18th, 2017 will have full permissions to all API endpoints that existed at that time, but any new API keys created after that point will need to be explicitly granted any required endpoint permissions. For further instructions on Authentication and the data available in our API, check out our Greenhouse Developer's site at  

Take the following steps to create a new Harvest API key or to update an existing key:

  • Click the Configure tab
  • Click Dev Center
  • Click API Credential Management

On the API Credential Management page, to create a new key, click the Create New API Key button.

From the Type drop-down menu, select Harvest. Entering a description is optional, however it may be helpful to indicate the available permissions or what the key is for, to help distinguish between keys. When finished, click Create.

This will take you to the Manage API Key Permissions page, where you can select the endpoints, or specify the endpoint methods, that the key will give access to. You may need to work with your development team or integration partner to determine which endpoints you should select. Then click Update


You can edit the Description or click Manage Permissions to update a key and the available endpoints at any time on the API Credential Management page. PLEASE NOTEMaking changes to the permissions of an API Key that is in use may impact internal or third-party tools that rely on data called from the API. To avoid any potential service disruptions, please check with your development team before making changes to a key's permissions. For security, we also highly recommend sending API keys using a public key or other secure messaging service, rather than copying keys to plain text emails.