API keys
Create and manage API keys to authenticate programmatic access to your bont data, with scopes that limit what each key can do and expiry dates to keep them rotating.
API keys authenticate programmatic access to your bont workspace — for your own integrations and for managing webhooks. Each key carries a set of scopes that decide exactly what it can read or change, so you can hand out narrow access instead of all-or-nothing credentials.
Open it
Settings → Integrations → API keys. The page lists your keys with their prefix, scopes, expiry, and when each was last used.
Creating a key
- Click + New API key.
- Give it a name that says where it's used (for example "Zapier" or "Internal sync").
- Set an optional expiry date — short-lived keys are safer and easy to rotate.
- Pick the scopes: each scope is a resource (contacts, companies, deals, and so on) paired with an action, so a key can be read-only or limited to specific objects.
The full key is shown once, at creation. Copy it into your integration's secrets store right away — bont keeps only a hashed version and can't show it again. If you lose it, revoke the key and create a new one.
Rotating and revoking
Edit a key to adjust its name, scopes, or expiry. Revoke a key the moment it's no longer needed or might be exposed — revoking takes effect immediately and any caller using it stops working. Rotating regularly (create the new key, switch your integration over, then revoke the old one) keeps long-lived credentials from piling up.
Keep keys safe
- Store keys in a secrets manager or environment variable — never in shared docs, tickets, or client-side code.
- Give each integration its own key, scoped to only what it needs.
- Set expiries and rotate on a schedule.