"Errors":[ "Not authorized to perform action: Invalid key" ]
Basic credentials cannot POST changes without first acquiring a security token. This process has been deprecated in the production environment in favor of using API keys, however is still necessary for sandbox environments and on-premises appliances.
If you are working within an application that has already registered a session and you try to use an API key, you may encounter the above error if the application is sending cookie data that contains authorization from your registered session. When this happens, it is effectively the same issue as sending basic credentials without a security token.
In this scenario, either disable cookies in the application or manually send a blank Cookie header.
An example of this scenario would be using a browser with an installed REST API client extension. You are logged into Rally in another tab in the browser and using an API key in the REST API client extension. If the browser is sending the existing cookie session data, the request will fail.
This scenario is actually a combination of the above two issues. Under normal circumstances, a read-only key trying to POST would result in a 401 error. However when using a read-only key in the presence of an established session it is guaranteed to try and use the credentials from the established session and will fail.
An extenuating condition where this is seen with full-access keys, is one where invalid POST operations have been attempted and subsequently the "Invalid key" response has been cached for that request by a proxy. If there is a caching proxy server in use at your location, then there is no control over that from an Agile Central perspective and you will need to work with your network team to adjust rules to prevent responses from being cached.