API Keys API¶
This document describes API key management for the Integration API.
Overview¶
API keys are created and managed through the Admin Portal. This document describes the key format, scopes, and lifecycle for integration partners.
Obtaining API Keys¶
API keys are created by CRM administrators via the Admin Portal:
- Navigate to Settings > Integrations > API Keys
- Click Create New Key
- Enter a friendly name (e.g., "Zapier Integration")
- Select required scopes
- Copy and securely store the generated key
Important: The API key is displayed only once at creation. Store it securely. If lost, create a new key.
Key Format¶
wlcro_{companyId}_{secret}
Example: wlcro_92_abc123def456ghi789...
Available Scopes¶
| Scope | Description |
|---|---|
events:read |
Poll events via GET /api/v1/events |
webhooks:write |
Create, update, delete webhook subscriptions |
integrations:read |
Search clients and affiliates |
integrations:write |
Create leads, notes, clients, affiliates |
admin |
Administrative operations |
Select only the scopes required for your integration.
Key Lifecycle¶
Active Keys¶
Active keys authenticate requests normally. Each successful authentication updates the lastUsedUtc timestamp (throttled to once per 5 minutes).
Revoked Keys¶
Keys can be revoked by CRM administrators: - Revocation is immediate - All subsequent requests with the revoked key return 401 - Revocation cannot be undone
To restore access after revocation, create a new key.
Security¶
Storage¶
- Keys are stored as SHA-256 hashes with server-side pepper
- Original key cannot be recovered from the hash
- If you lose a key, create a new one
Best Practices¶
- Store keys in secure credential storage (not source code)
- Use separate keys for different environments
- Use separate keys for different integrations
- Revoke unused keys
- Monitor
lastUsedUtcto identify inactive keys