> ## Documentation Index
> Fetch the complete documentation index at: https://openphone-dev.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Generate a Quo API key, send it correctly, and keep it safe.

Every request to the Quo API is authenticated with an API key. Keys are created in the Quo app by a workspace owner or admin, and each key has full access to your workspace's API. This page covers getting a key and keeping it safe.

## Get an API key

<Steps>
  <Step title="Open API settings">
    In Quo, go to **Workspace Settings → API**. You need owner or admin privileges to see this tab. If you don't have them, this is the moment to go find the person who does.
  </Step>

  <Step title="Generate a key">
    Click **Generate API key** and name it after what will use it: `crm-sync`, `claude-agent`, `staging-tests`. Spaces aren't allowed in key names.

    <Tip>
      One key per integration. When you retire an integration, you can delete its key without wondering what else will break.
    </Tip>
  </Step>

  <Step title="Store it like a password">
    The key carries the same reach as an admin in your workspace. Put it in a secrets manager or environment variable. Never commit it to source control, ship it in client-side code, or paste it into a prompt.
  </Step>
</Steps>

## Use the key

Send the key in the `Authorization` header, alongside the required [version header](/2026-03-30/versioning):

```bash theme={null}
curl https://api.quo.com/users?limit=1 \
  --header "Authorization: YOUR_API_KEY" \
  --header "Quo-Api-Version: 2026-03-30"
```

If the request above returns a `200` with a `data` array, you're authenticated. If it doesn't, the [quickstart's troubleshooting table](/2026-03-30/quickstart#if-it-didnt-work) covers the usual suspects.

## Key hygiene

A short list, because every item on it has a story behind it:

* **Separate keys for separate integrations.** Keys grant full API access, so the only isolation you get is the isolation you create.
* **Rotate on departure.** When someone with access to a key leaves your team, rotate it. Generating a new key and deleting the old one takes under a minute.
* **Keep keys out of prompts.** If an AI agent calls Quo on your behalf, the key belongs in the agent's environment or connector configuration, not in conversation text. More in [Build with AI & agents](/2026-03-30/ai-agents).
* **Deleting is safe.** Removing a key affects only the integrations using that key. Every other key keeps working.

## Revoke a key

1. Go to **Workspace Settings → API**.
2. Find the key, click the ellipsis (three dots) icon, and select **"Delete"**.
3. Access ends immediately. Generate a replacement if the integration should live on.

<Note>
  Lost track of which key does what? That's the naming convention from step 2 paying for itself. If it's too late for that, rotate them one at a time and watch what complains.
</Note>
