Developers
Create and manage API keys to build custom integrations on top of Cloodot.
Go to Settings → Developers → API Keys to manage programmatic access to Cloodot — keys for custom integrations, scripts, or third-party tools that talk to your workspace.
Developer settings are available to admins and owners only.
API keys
Creating a key
- Click Create Key.
- Fill in the details in the drawer that opens:
- Name — A friendly label to help you remember what this key is for (for example, "Zapier integration" or "Internal reporting script").
- Expiration — Choose how long the key stays valid:
- Never
- 30 days
- 90 days
- 1 year
- Click Create Key.
Once the key is generated, you'll see the full value in a dialog with a Copy button.
This is the only time the full key will be shown. Copy it somewhere safe before closing the dialog — if you lose it, you'll need to delete the key and create a new one.
Click Done when you've stored the key securely.
Managing your keys
All of your existing keys appear in a table showing:
| Column | What it shows |
|---|---|
| Name | The friendly label you gave the key |
| Key | A masked preview (for example, clo_********) |
| Created | When the key was created |
| Expires | The expiration date, or "Never" |
| Status | Active (green) or Disabled (red) |
| Actions | Delete the key |
Deleting a key
Click the trash icon on any key to delete it. You'll see a confirmation prompt:
"Any applications using this key will lose access immediately. This action cannot be undone."
Click Delete to confirm.
Deleting a key is instant. Any scripts or integrations using it will start failing right away, so make sure nothing critical is relying on it first.
API documentation
The Developers page links out to the full API Documentation, where you'll find:
- The complete REST API reference
- Authentication details
- Webhook setup and payloads
- Integration guides
Click the API Documentation card to open it in a new tab.
Authentication: API keys vs OAuth
Cloodot's public API accepts two authentication methods, and they have different permission models. Pick the one that matches what you're building.
API keys — full workspace access
API keys created on this page grant full read and write access to every resource in your workspace. They do not honor OAuth scopes — once a key is valid, it can call any endpoint the API exposes.
Use API keys when:
- You're building a server-side integration that you fully control (internal scripts, your own backend, Zapier with stored credentials).
- The integration genuinely needs broad access across resources.
- A single team manages the key end-to-end.
Because API keys bypass scope restrictions, treat them like a workspace password. Anyone who obtains the key can read every conversation, contact, and message — and can send messages or modify settings on your behalf. Store them in a secret manager, never in client-side code, and rotate them when team members leave.
OAuth tokens — scoped access
OAuth bearer tokens (issued through the OAuth 2.1 flow at /.well-known/oauth-authorization-server) are scope-gated. Each token carries a list of scopes — for example read:conversations, write:messages, read:contacts — and requests are rejected with 403 INSUFFICIENT_SCOPE if the scope is missing.
Use OAuth when:
- You're building a third-party app that other Cloodot customers will install.
- You want users to grant the smallest possible set of permissions (principle of least privilege).
- You're integrating with the MCP server — MCP access requires an OAuth token with the
mcp:accessscope and the relevant resource scopes per tool call.
| Capability | API key | OAuth token |
|---|---|---|
| Scope enforcement | No — full workspace access | Yes — only the granted scopes |
Works with MCP /mcp endpoint | No | Yes (requires mcp:access) |
| Per-endpoint rate limits | Tiered (60 read/min, 20 write/min) | Per-org + per-IP |
| Revocation | Delete from this page | Revoke via authorization server |
| Best for | First-party scripts, internal tools | Third-party apps, MCP clients |
Keeping keys safe
- Never commit API keys to source control. Use environment variables or a secret manager.
- Scope by purpose. Create a separate key for each integration so you can revoke one without breaking the others.
- Set an expiration date whenever you can — it's a solid safety net against lost or forgotten keys.
- Rotate keys regularly, especially after a team member with access leaves your organization.
- Use the Logs page to spot unexpected activity on any key.
Related topics
- Developer Logs — Monitor API usage and errors
- Integrations — Connect Cloodot to your other tools without writing code
- MCP Servers — Extend Copilot with custom tools