API key behavior
- Raw keys are shown once at creation time.
- FirstSales stores only a hash and a display prefix.
- Revoked keys stop working immediately.
- Keys are bound to the creator’s organization membership.
- If the creator loses access or is suspended, the key fails closed.
Access levels
Developer API keys have an access level:workspace: can operate only workspace-scoped resources and requires a workspace target.organization: can operate organization-scoped resources only with explicit organization scopes.
Scopes
Use the narrowest scope set possible. Common scopes include:campaigns:read,campaigns:writecontacts:read,contacts:writeinbox:read,inbox:writeconnectors:read,connectors:writebilling:read,billing:writeapi_keys:read,api_keys:writemembers:read,members:writegroups:writedomains:read,domains:write
CLI auth order
The CLI resolves credentials in this order:--api-keyFIRSTSALES_API_KEY- Selected local profile