Security model
Confera Public API keys are server-side secrets tied to one conference. They automatically stop working when:
exhibition:write — submit exhibits + upload payment proof.- The conference is not
live - The conference plan ends
- The key is revoked or expired
This is intentional: you can safely give keys to vendors without worrying they keep working forever.
Scopes (permissions)
Give each integration the smallest set of permissions it needs.
- website:read – read website content
- events:read – read schedule, venues, speakers
- events:write – manage workshop registrations + uploads
- abstracts:read – read accepted abstracts
- abstracts:write – submit abstracts + upload attachments
- exhibition:read – read published exhibits
- registrations:read – read registration config + registrations
- registrations:write – create registrations
- badges:write – record badge check-ins
- attendance:write – record attendance check-ins
Module gating
Even with a valid key, endpoints can be blocked when a module is disabled/suspended for that conference. This prevents “ghost integrations” when modules are turned off.
Key rotation
- 1) Create a new key with the same scopes.
- 2) Update your integration to use the new key.
- 3) Revoke the old key.
Where to store keys
Store keys in your server’s environment variables or secret manager.
Example
bash