API Keys let external applications — CRMs, Zapier, custom scripts — securely interact with Mumara Campaigns. You manage them under Settings → API Keys, which has two tabs: API Keys for creating and managing tokens, and API Roles for defining the permission sets those tokens use.
Clicking Create an API Key generates a token instantly; you then give it a description, set a per-minute rate limit (default 60 requests), assign an API role, and optionally restrict it to specific IP addresses (one per line). Roles control exactly which operations a key can perform — modules include List Management, Contact Management, Broadcasts, Suppression, Statistics, Web Forms, and more, each with granular permission checkboxes. You can disable, edit, or delete keys at any time; disabling or deleting takes effect immediately and stops all applications using that key.
Worth knowing: the V2 API requires the key as a Bearer token in the Authorization header — query-parameter authentication (?api_token=) only works with the legacy V1 API. Exceeding the rate limit returns HTTP 429 with headers indicating when to retry. A 403 error usually means the key's role lacks the needed permission or your IP isn't on the allowed list. You can't delete a role that's still assigned to active keys. For production, enable IP restrictions, create a separate key per integration, and grant only the permissions each integration actually needs.
