Generating an API key for the public REST API
Turtini exposes a public REST API at api.turtini.com that external systems can use to read AND write your org's articles, contacts, accounts, opportunities, and events. Authentication is via Bearer token — your org generates the keys, scopes each one, and revokes them whenever you want.
Public API docs (full endpoint list, pagination + idempotency contract, OpenAPI spec, language quick-starts): https://turtini.com/docs/api
(This is different from the Partner Portal CLI key, which authenticates the turtini-dev CLI for module publishing. The two key systems are independent.)
To create a key:
1. Go to Settings → Developer → API Keys (org admins only)
2. Click + New API Key
3. Give it a name (e.g. "Marketing site", "Zapier", "Internal data warehouse")
4. Pick the scopes — the minimum the key needs to do its job. The picker is laid out as a per-module read/write grid:
Reads:
- articles:read, contacts:read, accounts:read, opportunities:read, events:read
- *:read — all read scopes (use sparingly)
Writes:
- articles:write — create draft articles
- contacts:write — create contacts
- events:write — create draft events
- *:write — all write scopes (use sparingly)
Other:
- email:send — send transactional email through Turtini's Resend pipeline
5. Optionally set an IP allowlist (comma-separated CIDR blocks) so the key only works from your servers
6. Click Create
The plaintext key is shown ONE TIME on a confirmation screen — copy it immediately into your secret manager. We only store the SHA-256 hash; if you lose the plaintext, you have to revoke the key and create a new one.
Using the key (read):
curl https://api.turtini.com/v1/articles \
-H "Authorization: Bearer turtini_<your-key>"
Verifying a key from your code:
curl https://api.turtini.com/v1/auth/verify \
-H "Authorization: Bearer turtini_<your-key>"
Returns the bound orgId, orgName, orgSlug, keyId, and the scopes the key carries — handy for rendering "you're connected as <Org>" in your integration's UI.
Pagination: pass ?limit=N (max 100) and ?pageToken=<next> using the cursor returned in the previous response.
Monitoring: each key shows last-used timestamp and request count on the Developer page. If a key shows unexpected traffic, revoke it.
Revoking: click Revoke on any key — requests authenticated by that key start returning 401 immediately.
Related:
• "Writing data through the public API" — covers POST endpoints + Idempotency-Key
• "@turtini/sdk — typed Public API client for Node, browser, and Deno"
• "@turtini/mcp — letting AI-IDE agents collaborate with your org"