Cloodot
Settings

Developers

Create and manage API keys to build custom integrations on top of Cloodot.

Go to Settings → Developers → API Keys to manage programmatic access to Cloodot — keys for custom integrations, scripts, or third-party tools that talk to your workspace.

Developer settings are available to admins and owners only.

API keys

Create a key

  1. Click Create Key.
  2. In the drawer, fill in:
    • Name — a friendly label (e.g. "Zapier integration" or "Internal reporting script").
    • ExpirationNever, 30 days, 90 days, or 1 year.
  3. Click Create Key.

The full key value appears in a dialog with a Copy button.

This is the only time Cloodot shows the full key. Copy it somewhere safe before closing the dialog — if you lose it, delete the key and create a new one.

Click Done once the key is stored securely.

Manage your keys

Existing keys appear in a table:

ColumnWhat it shows
NameThe friendly label you gave the key
KeyA masked preview (for example, cloodot_********)
CreatedWhen the key was created
ExpiresThe expiration date, or "Never"
StatusActive (green) or Disabled (red)
ActionsDelete the key

Delete a key

Click the trash icon on any key. You'll see a confirmation prompt:

"Any applications using this key will lose access immediately. This action cannot be undone."

Click Delete to confirm.

Deletion is instant. Any scripts or integrations using the key will start failing right away — confirm nothing critical depends on it first.

API documentation

The Developers page links to the full API Documentation, where you'll find:

  • The complete REST API reference
  • Authentication details
  • Webhook setup and payloads
  • Integration guides

Click the API Documentation card to open it in a new tab.

Authentication: API keys vs. OAuth

Cloodot's public API accepts two authentication methods with different permission models. Pick the one that matches what you're building.

API keys — full workspace access

API keys created on this page grant full read and write access to every resource in your workspace. They don't honor OAuth scopes — once a key is valid, it can call every endpoint the API exposes.

Use API keys when:

  • You're building a server-side integration you fully control (internal scripts, your own backend, Zapier with stored credentials).
  • The integration genuinely needs broad access across resources.
  • A single team manages the key end to end.

Because API keys bypass scope restrictions, treat them like a workspace password. Anyone who obtains the key can read every conversation, contact, and message — and can send messages or modify settings on your behalf. Store them in a secret manager, never in client-side code, and rotate them when team members leave.

OAuth tokens — scoped access

OAuth bearer tokens (issued through the OAuth 2.1 flow at /.well-known/oauth-authorization-server) are scope-gated. Each token carries a list of scopes — for example read:conversations, write:messages, read:contacts — and requests are rejected with 403 INSUFFICIENT_SCOPE if the scope is missing.

Use OAuth when:

  • You're building a third-party app that other Cloodot customers will install.
  • You want users to grant the smallest possible set of permissions (principle of least privilege).
  • You're integrating with the MCP server — MCP access requires an OAuth token with the mcp:access scope and the relevant resource scopes per tool call.
CapabilityAPI keyOAuth token
Scope enforcementNo — full workspace accessYes — only the granted scopes
Works with MCP /mcp endpointNoYes (requires mcp:access)
Per-endpoint rate limits60 reads/min, 20 writes/min (per-org and per-IP)60 reads/min, 20 writes/min (per-org)
RevocationDelete from this pageRevoke via authorization server
Best forFirst-party scripts, internal toolsThird-party apps, MCP clients

In addition, AI-generation endpoints are limited to 5 requests/min, and all traffic is capped at 200 requests/min per IP.

Keep keys safe

  • Never commit API keys to source control. Use environment variables or a secret manager.
  • Scope by purpose. Create a separate key per integration so you can revoke one without breaking the others.
  • Set an expiration date whenever you can — a strong safety net against lost or forgotten keys.
  • Rotate keys regularly, especially after a teammate with access leaves your organization.
  • Use Logs to spot unexpected activity on any key.

On this page