Skip to main content
API keys authenticate requests to the Klipy API. Only workspace admins can issue or revoke keys.

Prerequisites

  • You must have the Admin role in your Klipy workspace.
  • Keys are workspace-scoped. A key issued by one workspace cannot access another.

Create a key

1

Open API settings

Go to Settings → API in the Klipy app.
2

Click New API Key

Click the New API Key button. A creation dialog opens.
3

Name the key

Enter a name that identifies the key’s purpose and owner—for example, data-warehouse-sync or internal-crm-integration. Names are for your reference only and have no effect on key behavior.
4

Select scopes

Choose the minimum scopes the integration needs. Keys with fewer scopes are easier to audit and limit the blast radius if a key is compromised.
ScopeAccess granted
ALLFull read and write access to all resources
people:readRead person records
people:writeCreate, update, and upsert person records
companies:readRead company records
companies:writeCreate and update company records
companies:removeDelete company records
interactions:readRead interaction records
interactions:writeCreate interaction records
5

Set an expiry date

Choose when the key should expire. Once a key expires, all requests using it return 401. Select No expiry only for long-lived service accounts where key rotation is managed elsewhere.
Keys do not send expiry alerts. Set a reminder to rotate keys before they expire, or use a short expiry and rotate programmatically.
6

Copy the key

The full key is shown once after creation. Copy it immediately and store it in a secrets manager. Klipy does not display the key value again after you close the dialog.

Use the key

Send the key on every request using one of these methods: 
X-Klipy-Api-Key: klipy_api_<id>

Authorization: Bearer klipy_api_<id>
Keys use the prefix klipy_api_. See Introduction for base URL details and response envelope format.

Security practices

  • Never commit keys to source control. Use environment variables or a secrets manager.
  • Use the narrowest scopes needed. A key for a read-only sync job does not need write scopes.
  • Set expiry dates. Prefer short-lived keys over permanent ones for external integrations.
  • One key per integration. Sharing keys across systems makes rotation and auditing harder.
  • Revoke immediately on compromise. If a key is exposed, revoke it before rotating.

Revoke a key

Go to Settings → API, find the key in the list, and click Revoke. The key becomes invalid immediately. Any in-flight requests using the revoked key return 401. There is no way to re-activate a revoked key. Issue a new key and update your integration.
Last modified on April 5, 2026