API keys
There is no separate key system for the add-on; the REST API authenticates with standard API keys. Create and manage keys at AdminCP > Setup > API keys.
Creating a key
- Navigate to AdminCP > Setup > API keys.
- Click Add API key.
- Give the key a title (such as "Backup script" or "Mobile app").
- Choose the key type:
- Super-user. Bypasses scope and permission checks. Use for admin-level automation.
- User. Bound to a single user. Subject to that user's per-category permissions.
- For user keys, pick the user.
- Tick the scopes the key may use (see below).
- Click Save. The full key value is shown once on the next page; copy it now.
Scopes the add-on registers
| Scope | Grants |
|---|---|
| Read downloads | List and get downloads, versions, files, comments. |
| Write downloads | Create, update, soft-delete downloads, versions, files, comments. |
| Hard-delete downloads | Permanently remove downloads, versions, and files. |
| Read categories | List and get categories. |
| Write categories | Create and update categories (admin only). |
| Hard-delete categories | Permanently remove categories (admin only). |
The hard-delete scopes are additive: a key needs the matching write scope plus the hard-delete scope to hard-delete. The hard-delete scope alone is not enough.
Recommended scopes
For most automation, "Read downloads" plus "Write downloads" is enough. Add "Read categories" if you also list or filter by category. Avoid super-user keys for routine work.
Revoking a key
Navigate to AdminCP > Setup > API keys. Use the row controls to Disable or Delete the key. Disabling preserves the row for audit purposes; deleting removes it entirely.
After deleting a key, audit log entries created through it remain intact and still trace back to the key's identifier, so an investigation can still find the activity.
Cross-link
For endpoint reference, request and response examples, and authentication header details, see the REST API overview and the per-resource pages under the API section.