Skip to main content

Documentation Index

Fetch the complete documentation index at: https://developer.lofty.com/llms.txt

Use this file to discover all available pages before exploring further.

API keys (personal access tokens) are user-scoped credentials for authenticating with the Lofty API. They are well suited for personal automation, scripts, CLI usage, and server-side integrations where the developer controls the environment.
The Lofty CLI uses API keys as LOFTY_CUSTOMER_KEY for the Client Credentials flow. API keys are a fully supported authentication method — not just for testing.

Obtain your API key

Navigate to Settings → Integrations → API in your Lofty account to view or generate your key. Each key is bound to the account that generated it. Requests authenticated with that key operate within that account’s permissions and carry a THIRD_PARTY_OPERATION scope.

Key properties

PropertyDescription
ScopeTHIRD_PARTY_OPERATION — enforced at token verification
ExpirationConfigurable. Keys can have an expires_at date set at creation. Check your key’s expiry in account settings.
RevocationCan be revoked immediately in account settings
FormatJWS token with metadata (not a static string)

Authenticate requests

Pass your API key in the Authorization header with the token prefix: 
curl https://api.lofty.com/v1.0/leads \
  -H "Content-Type: application/json" \
  -H "Authorization: token <API_KEY>"
Or use the Lofty CLI: 
export LOFTY_CUSTOMER_KEY="<API_KEY>"
lofty-cli leads list --limit 10

Security considerations

  • Do not expose keys in client-side code, public repositories, or logs.
  • Do not share keys with external vendors or third parties.
  • Keys are not subject to Lofty’s security review process — you are responsible for access control.
  • If a key is compromised, revoke it immediately in your account settings and generate a new one.
  • Monitor your key’s expiration date and rotate before it expires.

When to use each method

ScenarioRecommended
Personal automation or scriptsAPI Key
CLI usage (lofty-cli)API Key (as LOFTY_CUSTOMER_KEY)
Server-to-server (no user interaction)OAuth 2.0 Client Credentials + API Key
Third-party multi-tenant integrationsOAuth 2.0 Authorization Code
User-facing applications / SPAsOAuth 2.0 with PKCE