Developers
Create and manage API keys to build custom integrations on top of Cloodot.
Go to Settings → Developers → API Keys to manage programmatic access to Cloodot — keys for custom integrations, scripts, or third-party tools that talk to your workspace.
Developer settings are available to admins and owners only.
API keys
Create a key
- Click Create Key.
- In the drawer, fill in:
- Name — a friendly label (e.g. "Zapier integration" or "Internal reporting script").
- Expiration — Never, 30 days, 90 days, or 1 year.
- Click Create Key.
The full key value appears in a dialog with a Copy button.
This is the only time Cloodot shows the full key. Copy it somewhere safe before closing the dialog — if you lose it, delete the key and create a new one.
Click Done once the key is stored securely.
Manage your keys
Existing keys appear in a table:
| Column | What it shows |
|---|---|
| Name | The friendly label you gave the key |
| Key | A masked preview (for example, cloodot_********) |
| Created | When the key was created |
| Expires | The expiration date, or "Never" |
| Status | Active (green) or Disabled (red) |
| Actions | Delete the key |
Delete a key
Click the trash icon on any key. You'll see a confirmation prompt:
"Any applications using this key will lose access immediately. This action cannot be undone."
Click Delete to confirm.
Deletion is instant. Any scripts or integrations using the key will start failing right away — confirm nothing critical depends on it first.
API documentation
The Developers page links to the full API Documentation, where you'll find:
- The complete REST API reference
- Authentication details
- Webhook setup and payloads
- Integration guides
Click the API Documentation card to open it in a new tab.
Authentication: API keys vs. OAuth
Cloodot's public API accepts two authentication methods with different permission models. Pick the one that matches what you're building.
API keys — full workspace access
API keys created on this page grant full read and write access to every resource in your workspace. They don't honor OAuth scopes — once a key is valid, it can call every endpoint the API exposes.
Use API keys when:
- You're building a server-side integration you fully control (internal scripts, your own backend, Zapier with stored credentials).
- The integration genuinely needs broad access across resources.
- A single team manages the key end to end.
Because API keys bypass scope restrictions, treat them like a workspace password. Anyone who obtains the key can read every conversation, contact, and message — and can send messages or modify settings on your behalf. Store them in a secret manager, never in client-side code, and rotate them when team members leave.
OAuth tokens — scoped access
OAuth bearer tokens (issued through the OAuth 2.1 flow at /.well-known/oauth-authorization-server) are scope-gated. Each token carries a list of scopes — for example read:conversations, write:messages, read:contacts — and requests are rejected with 403 INSUFFICIENT_SCOPE if the scope is missing.
Use OAuth when:
- You're building a third-party app that other Cloodot customers will install.
- You want users to grant the smallest possible set of permissions (principle of least privilege).
- You're integrating with the MCP server — MCP access requires an OAuth token with the
mcp:accessscope and the relevant resource scopes per tool call.
| Capability | API key | OAuth token |
|---|---|---|
| Scope enforcement | No — full workspace access | Yes — only the granted scopes |
Works with MCP /mcp endpoint | No | Yes (requires mcp:access) |
| Per-endpoint rate limits | 60 reads/min, 20 writes/min (per-org and per-IP) | 60 reads/min, 20 writes/min (per-org) |
| Revocation | Delete from this page | Revoke via authorization server |
| Best for | First-party scripts, internal tools | Third-party apps, MCP clients |
In addition, AI-generation endpoints are limited to 5 requests/min, and all traffic is capped at 200 requests/min per IP.
Keep keys safe
- Never commit API keys to source control. Use environment variables or a secret manager.
- Scope by purpose. Create a separate key per integration so you can revoke one without breaking the others.
- Set an expiration date whenever you can — a strong safety net against lost or forgotten keys.
- Rotate keys regularly, especially after a teammate with access leaves your organization.
- Use Logs to spot unexpected activity on any key.
Related topics
- Developer Logs — monitor API usage and errors
- Integrations — connect Cloodot to other tools without writing code
- MCP Servers — extend Copilot with custom tools