Skip to content
INFIMA Knowledge Base

Reporting API

Your client’s CFO wants a real-time training compliance chart on the leadership Power BI dashboard, or you’re building a partner portal that surfaces phishing trends per customer, or you’re sending nightly user-risk data to a warehouse for cross-platform analytics. The Reporting API is what powers all of that — generate a key, point your tooling at our endpoints, the data flows.

It’s also what powers our ConnectWise Security 360 integration under the hood. Same API, same key.

Where this lives

Open the partner menu → Settings → Integrations → API Keys (third tab). Existing keys appear in a list; the Generate button is in the header.

What the API gives you

  • Partner-wide rollups — counts and trends across every client you onboard.
  • Per-client training data — course assignments, completion status, quiz scores, certificates earned.
  • Per-client phishing data — test sends, clicks, reports, repeat-offender lists.
  • Per-user records — risk scores, training history, phishing test history.

Endpoint reference, response shapes, and example requests live at infimasec.com/developers. That’s the canonical source — start there before writing a single line of integration code.

Generate a key

  1. Open Settings → Integrations → API Keys.

  2. Click Generate Key. A title field appears.

  3. Give the key a title. Use something identifiable — what the integration is for, where you’re using it. Good examples: Power BI dashboard, ConnectWise Security 360, Acme Corp custom portal, Nightly Snowflake ETL. You’ll thank yourself when rotating a year from now and you have four keys to choose between.

  4. Click Generate. The new key appears in a green confirmation box with a Copy button.

Store the copied key in a password manager, your team’s secrets vault, or the secrets store of whatever tooling will consume it. Don’t paste it into Slack, email, or a shared doc.

Using the key

Every request to the Reporting API must include the key in the request header:

X-API-Key: YOUR_API_KEY

A request without the header (or with a revoked / wrong key) returns 401 Unauthorized. Endpoint URLs and response shapes are in the developer reference at infimasec.com/developers.

Revoke a key

Use revoke when:

  • You’re rotating keys on a schedule (good operational hygiene — quarterly is reasonable).
  • You suspect a key has been exposed (committed to a public repo, included in a shared screenshot, etc.).
  • An integration is being decommissioned and you want to make sure no leftover process is still calling.

  1. Find the key in the list. Each row shows the title, the prefix (the first few characters of the key — used so you can identify which is which without exposing the whole thing), and the date it was created.

  2. Click Revoke on the row. A confirmation modal opens: “Revoke API key <title>? Any integrations using this key will stop working.”

  3. Click Confirm. The key is invalidated immediately. Any in-flight request with that key starts returning 401 within seconds.

Revocation is immediate and irreversible — there’s no grace period or undo. Make sure you’ve replaced the key in the consuming tooling first, or scheduled a window where the integration can be offline.

You’ll know it worked when

  • Generated: the green confirmation appears with the full key, the Copy button, and the warning that it won’t be shown again. After closing, the key appears in the list with its title and prefix.
  • A request authenticates: your tooling gets a 200 with data instead of a 401.
  • Revoked: the row disappears from the list. Any integration still using that key starts returning 401.

Frequently asked

Can I scope a key to a single client? Not from the dashboard today. Every key returns data across all clients under your partner. If you need to share data with a customer’s IT team scoped to just their tenancy, the supported path is generating reports through the dashboard’s Reports & Evidence surface — those run per-client and you can email them out. If per-client API scoping is critical for your use case, contact our support team.

How many keys can I have at once? There’s no hard limit in the dashboard. Generate as many as you need — one per integration is the recommended pattern so you can rotate or revoke independently.

I lost a key. How do I get it back? You can’t. We don’t store keys in a retrievable form after generation — only the prefix shown in the list. Generate a new one with the same title, swap it into your tooling, and revoke the old one.

Is there a rate limit? Yes — the limits are documented at infimasec.com/developers alongside each endpoint. If your tooling needs higher throughput than the documented limits allow, contact our support team and we can talk through options.

Can a client admin generate or view keys? No. API key management is partner-level only — client-scoped admins don’t see the Integrations area at all. If a client needs API access to their own data, you (the partner) generate the key and share it through your normal secret-handling process.

Will the ConnectWise Security 360 integration work without me generating a key? The CWS360 integration uses a key under the hood. If you set up CWS360 first, the integration owns the key it needs and you don’t have to generate one separately. If you generated a key first for a different use, CWS360 can use the same key — they’re not exclusive.

The key I generated isn’t working — requests return 401. Three things to check, in order: (1) the header name is exactly X-API-Key (not Authorization, not lowercase); (2) the key string was copied in full with no leading/trailing whitespace; (3) the key hasn’t been revoked from the dashboard. If all three are fine and you’re still getting 401, regenerate and try the new key — there’s no harm in confirming whether the issue is the key or the request shape.

Do API responses count against my user quota? No — API calls don’t increment any per-user counter. The quota concept only exists for licensed seats in the training and phishing surfaces.