API Keys

Overview

API keys let you authenticate with the Cotizera API without browser sessions. They're ideal for:

Zapier integrations — connect Cotizera to 6,000+ apps
Automated scripts — import data, generate quotes programmatically
External applications — access the API from your own systems

Key format

API keys follow the format ctza_ followed by 40 hexadecimal characters:

ctza_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0

⚠️

The full key is shown only once when created. Cotizera stores a bcrypt hash of the key — it cannot be retrieved later.

Authenticating with an API key

Include your API key in the Authorization header of every request:

curl https://cotizera.com/api/v1/quotes \
  -H "Authorization: Bearer ctza_a1b2c3d4..."

The key inherits the permissions of the user who created it (role and tenant).

Endpoints

List API keys

GET /api/api-keys

Permission: config:manage (Owner only)

Lists all API keys for the tenant. Never returns the key hash.

Response 200 OK:

[
  {
    "id": "clxyz...",
    "name": "Zapier Integration",
    "prefix": "ctza_a1b2",
    "lastUsedAt": "2026-04-08T14:30:00.000Z",
    "expiresAt": null,
    "isActive": true,
    "createdAt": "2026-03-15T10:00:00.000Z"
  }
]

Create API key

POST /api/api-keys

Permission: config:manage (Owner only)

Creates a new API key. The full key (key) is returned only in this response.

Request body:

{
  "name": "My integration",
  "expiresAt": "2027-01-01T00:00:00.000Z"
}

Field	Type	Required	Description
name	string	Yes	Descriptive name (1-100 characters)
expiresAt	string	No	Expiration date in ISO 8601 format

Response 201 Created:

{
  "id": "clxyz...",
  "name": "My integration",
  "prefix": "ctza_a1b2",
  "key": "ctza_a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0",
  "expiresAt": "2027-01-01T00:00:00.000Z",
  "createdAt": "2026-04-09T10:00:00.000Z"
}

⚠️

Copy and save the key immediately. You won't be able to see it again.

Revoke API key

DELETE /api/api-keys/:id

Permission: config:manage (Owner only)

Revokes an API key (soft delete). Requests using this key will immediately stop working.

Response 200 OK:

{
  "success": true
}

Best practices

Use environment variables — never hardcode keys in source code
Rotate keys periodically — create a new key, update your integrations, then revoke the old one
Set expiration dates — for temporary or CI/CD keys, configure expiresAt
One key per integration — makes it easy to revoke access if an integration is compromised
Never commit keys — add .env files to your .gitignore

Next steps

Zapier Integration — use your API key to connect with Zapier
Quotes API — create quotes programmatically
Webhooks Guide — receive real-time notifications

PreviousAuthentication NextErrors