Skip to main content
Every API request is authenticated with an API key that belongs to one organization. The key identifies which store’s data you’re working with — there’s no separate org parameter to pass.

Create an API key

1

Open Integrations

In the Retainful dashboard, go to Integrations and open (or create) the integration your system represents — for a bespoke backend, create a custom app.
2

Generate the key

Click Create API key. Copy it immediately and store it in your secrets manager — treat it like a password.

Use the key

Send it on every request in the X-API-Key header:
The header Retainful-api-key is accepted as an alias. Requests without a valid key receive 401 Unauthorized.

Key hygiene

  • Server-side only. Never ship an API key in browser JavaScript or a mobile app — anyone can read it there. Calls from your storefront should go through your own backend.
  • One key per system. Give your CRM sync and your booking platform separate keys, so you can rotate or revoke one without breaking the other.
  • Rotate on departure. If someone with access to the key leaves, revoke it from Integrations → your app → API keys and issue a new one.
  • Environment variables, not source code. Keys in git history live forever.

Revoking

Revoke any key from the same place you created it. Revocation is immediate — in-flight systems using the key start receiving 401s on their next request.