All guides
API keys

API keys

~3 min read

API keys are how outside tools talk to your Closr account. The web tracker uses one. Zapier and Make use one to POST new leads into your CRM. A custom contact form on your website uses one. You generate them in Settings → Integrations → API Keys.

When you need one

  • **Web tracker.** The snippet on your website sends page-view events back to Closr. The key tells Closr which agent's account they belong to. See `web-tracker-install`.
  • **Custom forms.** A contact form on your Webflow or Squarespace site posts directly to `/api/leads/inbound`. The key authenticates the post. See `lead-intake`.
  • **Zapier / Make.** Connect Facebook Lead Ads, Calendly, Typeform, anything Zapier supports. Use the key as the `x-api-key` header on the POST step.
  • **MCP server access.** When the Closr MCP server lands, it'll use the same key surface to authenticate the agent.

Generating one

  1. 1Open Settings → Integrations. Scroll to the "API keys" card.
  2. 2Type a label in the input. Use something specific: "Webflow contact form", "Zapier for FB Lead Ads", "Web tracker on main site". Future-you needs to know which key does what.
  3. 3Click Generate. A green "COPY NOW" panel appears with the full key (it starts with `closr_`).
  4. 4Copy the key and paste it into your integration. You won't see this full key again. Closr stores only a hash.
  5. 5Click Done on the panel. The key now shows in the list below with a short preview (the first 12 characters) so you can recognize it later.

If you lose a key, you can't recover it. Generate a new one, swap it in the integration, revoke the lost one.

What's in the key

The key is a 32-byte random token, base64url-encoded, prefixed with `closr_`. It carries no information about you, your account, or your team. It's a bearer token: anyone with the string can post leads as you, so treat it like a password. Don't commit it to a public Git repo. Don't paste it into a Slack channel. If a key leaks, revoke and regenerate.

Scoping

Today, all keys carry the same permissions: post leads to your team's inbound endpoint and identify visitors for the web tracker. There's no per-key scope-down (read-only, write-only, contact-only, etc). Per-scope keys land when more integrations need them. In the meantime, the practical scoping is: one key per integration, labeled so you can revoke the right one in a hurry.

You can have up to 10 active keys per team. Beyond that, revoke an unused one and try again.

Rotating a key

Treat key rotation like password rotation: do it on a schedule, and do it the day anyone with access leaves the team.

  1. 1Generate a new key with a fresh label ("Web tracker v2").
  2. 2Paste the new key into the integration that was using the old one.
  3. 3Test the integration end-to-end (send a test lead, click a tracked link).
  4. 4Revoke the old key from the API keys list. Any tool still using it will start failing immediately, which is how you confirm nothing was left pointing at the old one.

Revoking

Find the key in the list, click the trash icon, confirm. The key is removed from your team's credentials and any tool still using it gets a 401 on the next request. The action is immediate and not reversible.

Related guides

  • `web-tracker-install` for putting the page-view snippet on your site.
  • `lead-intake` for posting form submissions and Facebook Lead Ads into your pipeline.