API reference/Creating & using API keys
updated 2026-07-06
API reference

Creating & using API keys

Create an API key, keep it safe, authenticate a request with it, find the API reference, and revoke a key. Owner-only.

Advanced  An API key lets your own scripts, tools, and integrations call the Protocol REST API. You create a key in the dashboard, send it with each request as a bearer token, and it acts with your account’s access. Keys are long-lived — they work until you revoke them.

Owner only. Only a team owner can see this screen and create keys. If you run Protocol on your own, you’re the owner. Invited team coaches don’t have access.

Where to find it

Open your profile menu (your avatar, top-right) → Integrations → the API keys tab.

Integrations · API keys
Your API keys
+ Create API key
Zapier production pk_live_a1b2c3d4… Last used 2 Jul Revoke
Nightly export script pk_live_9f8e7d6c… Never used Revoke
The API keys tab lists your active keys — name, a short prefix (never the full key), when it was last used, and a Revoke action. The full key is shown only once, when you create it.

Create a key

Click Create API key, give it a name that says where it’ll be used (e.g. “Zapier production” or “Nightly export script”), and create it.

Create API key
Name
Zapier production
A label to help you recognise this key later. It doesn't affect what the key can do.
CancelCreate key
Name the key for where you'll use it — that's how you'll know which key to revoke later.

Protocol then shows you the full key exactly once. Copy it and store it somewhere safe (a password manager, or your integration’s secrets) before you close the dialog.

API key created
Your new API key
pk_live_a1b2c3d4e5f6…9f8e7d6c5b4a ⧉ Copy
⚠ Copy this key now — you won't be able to see it again. If you lose it, revoke it and create a new one.
Done
The one-time reveal. Protocol stores only a hashed version of your key, so it can never show it to you again — copy it before closing.

Copy it once. For your security, Protocol never stores the raw key — only a one-way hash. If you lose the key you can’t recover it; revoke it and create a new one. Treat a key like a password: it acts as you.

Use the key

Send the key in the Authorization header of every request, as a bearer token:

Authorization: Bearer pk_live_a1b2c3d4e5f6…9f8e7d6c5b4a

For example, with curl:

curl https://api.protocolcrm.com/v1/util/configs \
  -H "Authorization: Bearer pk_live_a1b2c3d4e5f6…9f8e7d6c5b4a"

That same header works on every endpoint in the API reference — the key authenticates you exactly as if you were signed in.

You can also try endpoints live in the API reference: click Authorize, paste your key, and every “Try it out” call will use it.

In the API reference
🔓 Authorize  ▾
bearerAuth  ·  Bearer <token>
Value:  pk_live_…
Paste your key into the reference's Authorize box to run any endpoint against your own account, right from the docs.

Where’s the full API reference?

Revoke a key

If a key is no longer needed — or might be exposed — revoke it from the API keys tab. Revoking is immediate: the key stops working on the very next request. There’s no undo, so if you still need access, create a new key first and swap it in.

Good to know

  • A key acts as you (the owner), with full access. It can do anything your account can. Give each integration its own key so you can revoke one without disturbing the others, and only create keys for tools you trust.
  • Keys stop working if your access changes. If your owner access is removed or your account is deactivated, every key you created stops authenticating right away.
  • These are not the same as connecting an AI assistant. The AI Agent page has its own connector keys (for Claude / ChatGPT over MCP). API keys here are for calling the REST API directly. See Connecting your assistant if that’s what you’re after.