Skip to main content

Security, API keys and developer access

If a third-party tool needs to read data from Lupa or push data into it, in example: a custom dashboard, a data warehouse, a marketing automation or an internal report, it does so through Lupa's HTTP API using an API key your practice generates. The same Settings area also hosts a single security policy: auto-logging staff out after a period of inactivity, useful for shared computers at reception or in consult rooms.

💡 In short: Open Admin Settings → API Keys to manage credentials for third-party integrations against Lupa's public API. Open Admin Settings → Security for the auto-logout setting that signs idle staff out after a configurable number of minutes.


Before You Begin

📍 Permissions required:

  • Both pages are in Admin Settings, which is separate from the per-clinic Settings page. If you can't see Admin Settings at all, ask your administrator to grant access.

  • API Keys: to create, edit, enable, or disable API keys

  • Update Security Settings: to change the auto-logout policy

API keys are created at the company level, so a single key works across every clinic in your group. The same is true for the auto-logout setting.

API Keys

API keys let an external system call Lupa's public API on your company's behalf. Each key has a name, a creator, an enabled flag, and a actual key which is hidden. Keys persist until you disable or rotate them.

API Keys settings page with the Documentation link and the + Create API Key button in the top right, and the empty list area below ready to receive your first key

Where to find API documentation

The endpoints, request shapes, and authentication details are on Lupa's developer docs site at https://developers.lupapets.com/docs. This can also be found in Lupa over Admin Settings → API Keys. The header carries a Documentation link to the public API docs.

💡 Read vs Write scope: Lupa stores a Read/Write permission scope alongside each key, but the on-screen create flow keeps the scope decision out of the dialog, the scope ends up tied to how your integration calls the API. If a vendor needs to push data in (not just read), confirm with Lupa support that the key is Write-scoped before you ship.

Create a new API key

  1. Click + Create API Key in the top right.

  2. Give it a meaningful Name. Use the integration name and environment (e.g. Looker production, Mailchimp sync staging) so you can audit later.

  3. Leave Enabled on (the default). Toggle it off if you want to mint the key in a disabled state and turn it on later.

  4. Click Save. Lupa generates the key value and shows it in a copy-to-clipboard field on the row that appears in the list.

  5. Copy the key immediately and paste it into the integration that needs it. The full key is only shown clearly at creation time.

    Create API Key dialog with the Name field and the Enabled toggle, and the Save button at the bottom right

🔒 Treat keys like passwords. Don't paste them in chat, email, or shared documents. Store them in your integration's secret manager or environment variables. If a key is leaked, disable it from the list and create a new one.

Disable, re-enable, or rotate a key

  • Disable: open the key from the list and turn off **Enabled. **The key then keeps existing in Lupa but stops authenticating requests.

  • Re-enable: flip the toggle back on.

  • Rotate: create a new key, update the integration to use it, then disable the old one once you've confirmed the integration is working with the new key.

Reading the audit columns

Column

What it tells you

Created by

The staff member who created the key. Useful when you find an unfamiliar key. Talk to whoever created it before disabling.

Last used

Timestamp of the last successful API call using this key. A blank or stale value usually means the integration has been retired or is broken; investigate before disabling so you don't break something live.

Enabled

Whether the key currently works. Disabled keys reject all requests with an authentication error.


Auto-logout (Security)

Open Admin Settings → Security. The page contains a single setting: how long to wait before logging an idle user out.

Security settings page showing the Enable auto logout after inactivity toggle and the Save button below

  1. Tick Enable auto logout after inactivity.

  2. Enter the inactivity timeout in minutes (between 5 and 720, i.e. up to 12 hours).

  3. Click Save. A staff member who hasn't interacted with Lupa for the configured time will first see a Session about to expire warning. The warning covers the screen, shows the staff member's name and avatar, and displays a live countdown: "You will be logged out in [N] seconds." Moving the mouse, pressing any key, or clicking anywhere dismisses it instantly and resets the timer. If no activity is detected before the countdown reaches zero, Lupa shows a brief Logging you out message and signs the staff member out — they will need to log in again.

The inactivity timer persists across browser tab closes. Closing the Lupa tab and reopening it does not reset the clock — if the timeout has already passed by the time the tab is reopened, Lupa will sign the staff member out immediately on load. The setting applies to every clinic in your group and every staff member.

Reasonable starting points: 30 minutes for a busy reception or consult-room shared computer; 60–120 minutes for a back-office laptop only used by the practice manager. Too short and staff are constantly re-logging in; too long and you've effectively turned auto-logout off.


What's not in here

To set expectations clearly, these settings only cover:

  • API key creation and enable/disable, with Read or Write backing scope

  • Auto-logout timeout The following are not currently configurable from this page:

What's not here

Where to look instead

Webhooks / event subscriptions

Not currently exposed. If you need event-driven integration, poll the API on a schedule.

Two-factor authentication (2FA)

Not yet available as a self-serve setting. Talk to Lupa support if 2FA is required for compliance.

Audit logs

Lupa records change history internally, but there's no consolidated security audit log surfaced in the UI.

IP allowlisting / restriction

Not currently configurable.

Print Agent token

Lives under Settings → Printing → Print Agent. See .

Roles and per-user permissions

Configured under team management, separately from this page.


Tips

Best practices:

  • One key per integration. Don't share a single key across multiple tools. If one tool gets compromised, you can disable just that key without breaking everything else.

  • Name keys after the integration and environment: External Online Booking Tool, Internal CSV exporter staging. Vague names age badly.

  • Review keys quarterly. Look at Last used: if a key hasn't been called in months, the integration is probably gone. In that case disable the key to reduce attack surface.

  • Default to Read. Only create API keys when an integration genuinely needs to push data into Lupa.

  • Rotate after staff changes. When the person who created an integration leaves, rotate the keys they created and confirm the integration still works.

  • Pick auto-logout that matches your environment. Shared front-desk machines benefit from short timeouts; private laptops can run longer.


Troubleshooting

Problem

Solution

I can't find API Keys or Security

Both live in Admin Settings, not the per-clinic Settings page. You need admin permissions, as well as the relevant permissions (API Keys or Update Security Settings).

I lost the key value after closing the dialog

The full key only displays at creation time. Disable the key and create a new one, then update the integration with the new value.

An integration started failing this morning

Check the key in Admin Settings → API Keys. If Enabled is off, someone disabled it. Confirm the integration owner before re-enabling.

Last used is blank for a key I'm sure is in use

The integration may have been failing to authenticate (typo in the key, calling the wrong endpoint). Check its logs.

Staff complain auto-logout is too aggressive

Open Security and increase the minutes. The minimum is 5; pick something realistic for your environment.

I want a webhook, not polling

Webhooks aren't currently configurable. Poll the API on a sensible interval, or contact Lupa support to discuss alternatives.


Frequently Asked Questions

What does the Lupa API let me do? {toggle="true"}

The public API exposes the same data you see in the work app, including clients, pets, appointments, invoices, and reports. Read access lets you view this data, while write access additionally lets you create and update records. Refer to [**https://developers.lupapets.com/docs**](https://developers.lupapets.com/docs) for the endpoint reference.

Can I scope a key to one clinic only? {toggle="true"}

No. Keys are created at company level and authorise across every clinic in your group. If you need data from one clinic only, filter by clinic in your API queries.

Does Lupa support OAuth for third-party apps? {toggle="true"}

Not currently. Authentication for the public API is via API key only.

Is there 2FA for staff logins? {toggle="true"}

Not as a self-serve setting today. Reach out to Lupa support if you have a compliance requirement that mandates it.

Where can I see who used an API key recently? {toggle="true"}

Each key has a **Last used** timestamp. Lupa doesn't currently expose a per-call audit log, but the timestamp is enough to spot integrations that have stopped calling.

How does auto-logout interact with multi-tab usage? {toggle="true"}

Activity in any open Lupa tab counts as activity across all of them — as long as someone is interacting with Lupa in one tab, the timer resets. Closing all Lupa tabs does not reset the clock. If the inactivity timeout passes while the tabs are closed, Lupa will sign the staff member out as soon as they reopen it.

What happens if my key is leaked? {toggle="true"}

Disable it immediately from **Admin Settings → API Keys**, then create a new one and update the integration. Disabled keys stop authenticating instantly, so leaked credentials become useless the moment you flip the toggle.


Related Articles

Did this answer your question?