API keys
Create scoped keys for Zapier, webhooks, and direct API access.
API keys authenticate programmatic access to your Sjocamp account. They’re separate from your login and can be revoked individually.
Creating a key
Go to API keys in the sidebar. Click Create key.
- Label — what you’ll use the key for (e.g., “Zapier”, “Internal CRM sync”). Visible only to you.
- Scope — restricts what the key can do:
| Scope | Allows |
|---|---|
read | List campaigns, leads, segments. No mutations. |
write | Read + create/update leads. |
zapier | The minimum needed for the Zapier app. |
all | Full access — read, write, manage webhooks, send blasts. |
Pick the narrowest scope that works — if a key is only used by Zapier, give it the zapier scope, not all.
Storing the key
The key is shown once at creation. Copy it immediately — you can’t view it again. If you lose it, revoke and create a new one.
Treat keys like passwords:
- Don’t commit them to git.
- Store them in your secrets manager (Doppler, 1Password, AWS Secrets Manager, etc.).
- Rotate them if a developer leaves your team.
Using the key
Send the key as a Bearer token:
curl https://api.sjocamp.co/v1/campaigns \
-H "Authorization: Bearer lk_live_..."Revoking
Click Revoke on the API keys page. The key stops working immediately — any service using it will start receiving 401 responses, so coordinate before revoking a key that’s in production.
Why scoped keys
If a third-party tool only needs to push leads in (e.g., a Typeform → Sjocamp Zap), a write-scoped key can’t be used to read your full lead list or send a blast on your behalf — even if it’s leaked. This is real defense-in-depth, not theatre.