Skip to content

API tokens

Why this matters

An API token is like a password but for programs, not people. It allows external applications (another tool, a script, a Zapier) to read or write data in ZaazCRM without needing to sign in as a human user.

Typical uses:

  • Sync contacts with Mailchimp.
  • Connect ZaazCRM with your accounting system.
  • Automate imports from Excel.
  • Custom mobile app.

Create a token

  1. Sidebar → SettingsAPI tokensCreate.
  2. Fill in:
  3. Name ("Mailchimp sync", "Importer script").
  4. Scope — what it can do.
  5. Expiration — recommended max 1 year.
  6. Generate.
  7. Copy the token immediately — shown only once.

Screenshot: creation screen with newly generated token

Use the token

Whoever consumes the API includes the token in every HTTP request:

Authorization: Bearer <your-token>

Revoke a token

If compromised:

  1. Open the token → Revoke immediately.
  2. Generate a new one.
  3. Update the application.

Usage audit

Each token has a usage log: last used, requests, IPs.

Best practices

  • One token per integration.
  • Minimum permissions.
  • Short expiration — rotate yearly.
  • Tokens in environment variables, not in code.

Watch out for

  • Tokens are secrets.
  • Tokens without scope = open door.
  • Don't reuse tokens across environments (production and test).

Where to next