QuintaGo
Documentação
← Toda a documentação
Documentação
DevelopersIntermediate
6 min read
Updated 8 May 2025

API Authentication

QuintaGo uses API keys for server-side authentication and OAuth 2.0 for user-facing integrations. Choose the right method based on your use case.

API keys

API keys are the primary authentication method for server-to-server integrations. They carry the permissions of the workspace they belong to.

  • Live keys — prefixed with qg_live_, affect real data
  • Test keys — prefixed with qg_test_, sandbox only

Create and manage API keys at Settings → Integrations → API keys.

# Using an API key
Authorization: Bearer qg_live_xxxxxxxxxxxxxxxxxxxx

# Never expose live API keys in:
# - Frontend JavaScript
# - Git repositories (use environment variables)
# - Client-side mobile apps

Key scopes

Limit a key to specific operations using scopes. Recommended: create separate keys for each integration with the minimum required scope.

// Available scopes
leads:read        – list and get leads
leads:write       – create, update, archive leads
proposals:read    – list and get proposals
messages:write    – send WhatsApp messages
webhooks:write    – register webhook endpoints
calendar:read     – read calendar events

// Specify scopes when creating a key via API
POST /v1/api-keys
{
  "name": "Zapier integration",
  "scopes": ["leads:read", "leads:write"]
}

Key rotation

Rotate API keys periodically and immediately if you suspect a compromise:

  1. Create a new key with the same scopes
  2. Update all integrations to use the new key
  3. Revoke the old key from Settings → API keys
Revoking a key takes effect immediately. All requests using that key will return 401. Make sure the new key is deployed before revoking the old one.

OAuth 2.0

If you are building a third-party app that other QuintaGo customers will install, use OAuth 2.0. Contact developers@quintago.io to register your OAuth application.

// OAuth 2.0 flow
// 1. Redirect user to:
https://app.quintago.io/oauth/authorize
  ?client_id=YOUR_CLIENT_ID
  &redirect_uri=https://yourapp.com/callback
  &scope=leads:read+proposals:read
  &state=random_state_string

// 2. Exchange code for token:
POST https://api.quintago.io/oauth/token
{
  "code": "AUTHORIZATION_CODE",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "redirect_uri": "https://yourapp.com/callback",
  "grant_type": "authorization_code"
}
Tags:authenticationapi-keysoauth

Was this article helpful?

PreviousAPI ReferenceNextSDKs

Related articles

API ReferenceOfficial SDKs