API Key
What is API Key?
When a system needs to call another system's API, it presents an API key — a long, opaque string that proves the request comes from a known and authorized account. The receiving system checks the key against its records, applies the right permissions and rate limits, and either fulfills the request or rejects it. API keys are simpler than OAuth (no user redirect, no consent screen) and are the workhorse credential for backend-to-backend automation: enrichment calls, webhook senders, scheduled jobs, and AI agents acting on behalf of an account. Keys must be stored as secrets — leaked keys are a common source of breaches — and rotated regularly.
Why it matters
- Lets backend services authenticate without dragging a human through an OAuth flow.
- Scopable — a single tenant can issue read-only, write, or admin keys to different downstream systems.
- Auditable — every API call is tagged with the key that made it, giving clean per-integration logs.
Use cases
- Enrichment integration. Your CRM calls an enrichment API using a stored key on every new lead.
- Agent authorization. An AI agent presents the workspace's key on every action it takes on your behalf.
- Webhook signature verification. Outbound webhooks include a key-derived signature so the receiver can verify the source.
How turgo helps
turgo issues scoped API keys per workspace and per integration, with one-click rotation, full audit logs, and rate-limit visibility — keys are first-class citizens, not an afterthought.
See turgo in action →