API keys authenticate requests to the Run a Call REST API. Generate them in Settings → Integrations → API. Only Owner can create keys.

Open the API page

Go to Settings → Integrations → API, then click + New API key.

Fill in the fields

Field	What it controls
Label	What this key is for — "Zapier production", "Internal CRM sync". Helps you identify it later.
Scopes	Which API resources this key can read/write (customers, jobs, invoices, etc.)
Rate limit (per minute)	How many requests per minute. Conservative default; raise for high-throughput integrations.
IP allowlist	Optional list of IPs that can use this key. Recommended for production keys.
Expires at	Optional. Set to auto-revoke on a date.

Click Generate.

Warning

Copy the full key now. It's shown once and not visible again — only the prefix (e.g. rak_live_a3f2…) is stored for reference.

Each scope limits what API endpoints the key can hit. Common scopes:

Scope	Allows
`customers:read` / `customers:write`	Read or write customer records
`jobs:read` / `jobs:write`	Read or write jobs
`invoices:read` / `invoices:write`	Read or write invoices
`pricebook:read`	Read pricebook items
`webhooks:write`	Create or update webhook subscriptions

Tip

Best practice: least privilege — give each key only the scopes it needs. A reporting key probably only needs :read.

If a key is compromised (or you no longer need it):

Revoked keys stop authenticating immediately. The key record stays in the list (greyed out) for audit purposes.

Column	What it shows
Label	The name you gave the key
Key prefix	First few characters
Scopes	Permissions granted
Rate limit	Requests per minute
Last used	Timestamp of most recent request
Status	Active, revoked, or expired
Created at	When the key was generated