Authentication
Secure your API requests with API keys
The Anchor CRM API uses API keys for authentication. Every request to the API must include a valid API key. API keys are tied to your organization and can be scoped with different permission levels.
Creating API Keys
- Navigate to Settings → API Keys
- Click "Create API Key"
- Enter a descriptive name (e.g., "FluxCascade Integration", "Development Testing")
- Select the appropriate scopes for your use case
- Optionally set an expiration date
- Copy your API key immediately - it won't be shown again!
Keep your API keys secure
Never commit API keys to version control, share them in public channels, or expose them in client-side code. Treat them like passwords.
Using API Keys
Include your API key in every request as a Bearer token:
Authorization Header
Use the standard Bearer token format in the Authorization header. Keys start with anch_.
curl -X GET "https://your-domain.com/api/companies" \ -H "Authorization: Bearer YOUR_API_KEY"
API Scopes
API keys are assigned scopes that determine what actions they can perform. Follow the principle of least privilege - only grant the minimum scopes needed.
| Scope | Description | Use Case |
|---|---|---|
| companies:read | View companies and details | Reporting, dashboards |
| companies:write | Create, update, delete companies | Data sync, imports |
| contacts:read | View contacts | Contact sync |
| contacts:write | Create, update, delete contacts | CRM sync |
| deals:read | View deals and pipeline | Pipeline reports |
| deals:write | Manage deals | Workflow automation |
| analytics:read | View analytics and metrics | Dashboards, BI tools |
| * | Full access to all resources | Admin tools only |
See the full list of 22 available scopes on the Scopes reference page.
Rate Limiting
Design your integration for a fair-use budget of 100 requests per minute per API key. Requests over budget may be throttled with a 429 response.
100
Requests per minute
Per Key
Each key has its own budget
429
Status when throttled
Rate Limit Headers
Throttled responses include a Retry-After header plus usage headers:
Retry-After: 45 X-RateLimit-Limit: 100 X-RateLimit-Remaining: 0 X-RateLimit-Reset: 1705747200
Authentication Errors
When authentication fails, you'll receive one of these error responses:
Missing or invalid API key
{
"error": "Unauthorized"
}API key doesn't have required scope
{
"error": "Missing required scope: companies:write"
}Rate limit exceeded
{
"error": "Too many requests",
"message": "Rate limit exceeded. Please try again later.",
"retryAfter": 45
}