Key Generation and Usage
Key Generation
Once your initial testing is complete and the application is ready for production please instruct your client to request an API key via our internal Support Request System. The client should be sure to mention what application this API key is for, and the permissions of your sandbox key will be matched to the production key issued.
We will generate the key and hand it off to the client, who should be able to transmit it to you in an encrypted manner. This key should be treated like a password, please notify us immediately if any key has been exposed in plain text. We recommend building functionality in your application that allows an end user to add an API key themselves. The last four digits should be used to reference the key for troubleshooting purposes. You can also find a key ref value by running an introspection call.
You should never transmit or publish the API key, the HTTP Basic Authorization header which uses that key, or any other derivation of the API key, in plain text. API keys should not appear on any web pages or public GitHub repositories and should not be transmitted by email. You should never include the key in client-side JavaScript.
How do I get a production (client) API key?
A client should request an API key for your integration by navigating to API Integrations and selecting "Request an API Key". Production keys must be requested by clients from within the CRM; a vendor cannot request a production key on behalf of a client.
Your integration may be listed in the drop down, but if not the client can just click "Submit a Support Request" under "Didn't find what you were looking for?" and ask for an API key to use with your integration.
The key issued will be permissioned in the exact same way that your existing sandbox key is.
Other Best Practices
This API is not intended to replace Create A List, Export Wizard or Bulk Upload tools. Please throttle your API requests to no more than 5/second and run them synchronously (meaning do not send a new request until the existing request comes back).
A more detailed overview of throttling best practices can be found here.
Updated about 3 years ago