Creating & using API keys
Create an API key, keep it safe, authenticate a request with it, find the API reference, and revoke a key. Owner-only.
Advanced An API key lets your own scripts, tools, and integrations call the Protocol REST API. You create a key in the dashboard, send it with each request as a bearer token, and it acts with your account’s access. Keys are long-lived — they work until you revoke them.
Owner only. Only a team owner can see this screen and create keys. If you run Protocol on your own, you’re the owner. Invited team coaches don’t have access.
Where to find it
Open your profile menu (your avatar, top-right) → Integrations → the API keys tab.
Create a key
Click Create API key, give it a name that says where it’ll be used (e.g. “Zapier production” or “Nightly export script”), and create it.
Protocol then shows you the full key exactly once. Copy it and store it somewhere safe (a password manager, or your integration’s secrets) before you close the dialog.
Copy it once. For your security, Protocol never stores the raw key — only a one-way hash. If you lose the key you can’t recover it; revoke it and create a new one. Treat a key like a password: it acts as you.
Use the key
Send the key in the Authorization header of every request, as a bearer token:
Authorization: Bearer pk_live_a1b2c3d4e5f6…9f8e7d6c5b4a
For example, with curl:
curl https://api.protocolcrm.com/v1/util/configs \
-H "Authorization: Bearer pk_live_a1b2c3d4e5f6…9f8e7d6c5b4a"
That same header works on every endpoint in the API reference — the key authenticates you exactly as if you were signed in.
You can also try endpoints live in the API reference: click Authorize, paste your key, and every “Try it out” call will use it.
Where’s the full API reference?
- Interactive reference (Swagger UI): api.protocolcrm.com/docs — browse every endpoint, see request/response shapes and examples, and try calls live.
- Raw OpenAPI spec: api.protocolcrm.com/v1/openapi.json — import this into Postman, Insomnia, or an API client to generate a collection.
Revoke a key
If a key is no longer needed — or might be exposed — revoke it from the API keys tab. Revoking is immediate: the key stops working on the very next request. There’s no undo, so if you still need access, create a new key first and swap it in.
Good to know
- A key acts as you (the owner), with full access. It can do anything your account can. Give each integration its own key so you can revoke one without disturbing the others, and only create keys for tools you trust.
- Keys stop working if your access changes. If your owner access is removed or your account is deactivated, every key you created stops authenticating right away.
- These are not the same as connecting an AI assistant. The AI Agent page has its own connector keys (for Claude / ChatGPT over MCP). API keys here are for calling the REST API directly. See Connecting your assistant if that’s what you’re after.