Skip to main content

API Keys

All API requests require authentication using a workspace API key. Keys are scoped to your workspace and can only access your own data.

Key Format

API keys start with the wbk_ prefix (workspace key): 
wbk_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0u1v2w3x4y5z6

Creating an API Key

  1. Go to DashboardSettingsAPI & Integrations
  2. Click Create API Key
  3. Configure:
    • Name: Descriptive name for the key
    • Permissions: Select read, write, and/or Lexi access
    • Expiration: Optional expiry date
  4. Save the key immediately — you won’t see it again!
Never commit API keys to version control or share them publicly. Treat them like passwords.

Making Authenticated Requests

Include your API key in the Authorization header using Bearer authentication: 
Authorization: Bearer wbk_your_api_key_here

Example

curl https://nbkxaqxwvkgbddekwsma.supabase.co/functions/v1/api-gateway/v1/contacts \
  -H "Authorization: Bearer wbk_your_api_key_here"

Permissions

API keys can have three types of permissions:
View contacts, lists, campaigns, deals, and prospect search results.Endpoints:
  • GET /v1/contacts
  • GET /v1/lists
  • GET /v1/campaigns
  • All GET endpoints
Create, update, and delete contacts, lists, and campaigns.Endpoints:
  • POST /v1/contacts
  • PATCH /v1/contacts/:id
  • POST /v1/lists
  • POST /v1/campaigns
  • All POST, PATCH, DELETE endpoints
Interact with Lexi AI assistant, view and approve tasks.Endpoints:
  • POST /v1/lexi/chat
  • GET /v1/lexi/tasks
  • POST /v1/lexi/tasks/:id/approve
For security, create separate keys with minimal permissions for different use cases (e.g., read-only key for analytics).

Rate Limits

API usage is limited based on your workspace plan:
PlanDaily LimitPer Minute
Starter100 calls10
Pro1,000 calls50
Org10,000 calls200
Rate limits reset at midnight UTC (00:00).

Rate Limit Headers

Every API response includes headers showing your current usage: 
X-RateLimit-Limit: 1000        # Total daily limit
X-RateLimit-Remaining: 847     # Calls remaining today
X-RateLimit-Reset: 1708905600  # Unix timestamp of reset

When You Hit the Limit

If you exceed your rate limit, you’ll receive a 429 Too Many Requests error: 
{
  "error": {
    "code": "rate_limited",
    "message": "Rate limit exceeded. Resets at 2026-02-25T00:00:00Z"
  }
}
Status Code: 429 Too Many Requests
Monitor the X-RateLimit-Remaining header and implement exponential backoff when approaching limits.

Error Responses

Authentication Errors

Missing Authorization Header

{
  "error": {
    "code": "missing_auth",
    "message": "Missing or invalid Authorization header"
  }
}
Status Code: 401 Unauthorized

Invalid API Key

{
  "error": {
    "code": "invalid_key",
    "message": "Invalid API key"
  }
}
Status Code: 401 Unauthorized

Revoked Key

{
  "error": {
    "code": "revoked_key",
    "message": "API key has been revoked"
  }
}
Status Code: 401 Unauthorized

Insufficient Permissions

{
  "error": {
    "code": "insufficient_permissions",
    "message": "Missing required permission: write"
  }
}
Status Code: 403 Forbidden

Key Management

Rotating Keys

To rotate an API key:
  1. Create a new key with the same permissions
  2. Update your application to use the new key
  3. Test thoroughly to ensure the new key works
  4. Revoke the old key in the dashboard
Revoking a key immediately stops all API requests using that key. This cannot be undone.

Monitoring Usage

View API usage statistics in your dashboard:
  • Total calls today
  • Calls per endpoint
  • Error rate
  • Last used timestamp

Best Practices

Use Environment Variables

Store API keys in environment variables, never in code:
export LEADLEX_API_KEY="wbk_your_key"

Rotate Regularly

Rotate keys every 90 days or when team members leave

Minimal Permissions

Only grant permissions that are actually needed

Monitor Activity

Check “Last Used” regularly to detect unused or leaked keys

Workspace Isolation

API keys are workspace-scoped. Each key can only access data within its own workspace. There is no cross-workspace access.
This means:
  • You can only view/edit your own contacts
  • You can only create campaigns for your own lists
  • Lexi AI only has access to your workspace data

Next Steps

Quickstart Guide

Make your first API call

Code Examples

Complete workflows in multiple languages