API Keys
How to create, manage, and protect your API keys to authenticate lead submission via webhook.
What are API keys?#
API keys are authentication credentials that protect your inbound webhook. Every request sent to the Zero Bad Leads webhook must include a valid API key — without one, the lead is rejected with a 401 error (unauthorized).
Your API keys are sensitive credentials. Never share them publicly, don't include them in open-source code, and don't expose them in frontend forms.
Where to find your API keys#
Access settings
In the sidebar menu, go to Settings > Integrations (or Settings > API Keys, depending on your plan).
View your keys
Your API keys are listed with the following information:
- Name — the label you defined (e.g., "Production", "Testing")
- Key — the key itself (partially hidden by default)
- Created at — creation date
- Last used — when it was last used
Creating a new API key#
Click 'Create new key'
At the top of the API keys list, click the Create new key button.
Give it a descriptive name
Choose a name that identifies where this key will be used. Examples:
- "Production - Main landing page"
- "RD Station Marketing"
- "Testing - Staging"
Copy the key immediately
The full key is displayed only once at the time of creation. Copy it and store it in a secure location (password manager, server environment variable, etc.).
If you lose an API key, it cannot be recovered. You'll need to create a new one and update all integrations that used the old key.
Using the API key in the webhook#
The API key must be sent in the x-api-key header of every POST request to the webhook:
POST https://ctmhfalurdthlddaprfd.supabase.co/functions/v1/webhook-receiver
Content-Type: application/json
x-api-key: your-api-key-here
{
"email": "lead@empresa.com",
"name": "João Silva",
"phone": "(11) 99999-9999"
}
If the key is invalid or missing, the response will be:
HTTP 401 Unauthorized
{ "error": "Invalid or missing API key" }
Revoking an API key#
If a key has been compromised or is no longer needed:
Locate the key
In the API keys list, find the one you want to revoke.
Click Revoke
Click the action button (trash icon or "..." menu) and confirm the revocation.
Update your integrations
Any service or form that used this key will stop working immediately. Update the key in those integrations with a new valid key.
Revocation is immediate and irreversible. Leads sent with a revoked key will be rejected.
Security best practices#
Use separate keys per environment#
Create one key for production and another for testing. This way, if you need to revoke the testing key, your production is not affected.
Rotate periodically#
Change your API keys every 3-6 months as a preventive measure:
- Create a new key
- Update integrations to use the new key
- Confirm everything works
- Revoke the old key
Store securely#
- Environment variables on the server (not in source code)
- Password manager (1Password, Bitwarden, etc.)
- Secrets vault (AWS Secrets Manager, HashiCorp Vault)
Never expose on the frontend#
The API key should only be used in:
- Backend servers
- Automation platforms (RD Station, ActiveCampaign)
- Server-side tools (Zapier, Make)
Never put the API key in JavaScript executed in the end user's browser.
Limits by plan#
| Plan | Maximum API keys |
|---|---|
| Starter | 3 |
| Pro | 10 |
| Scale | Unlimited |
If you've reached your plan's API key limit, consider revoking old keys that are no longer in use before upgrading.
Related articles
Configure webhook to receive leads
Learn how to configure the Zero Bad Leads webhook to automatically receive leads from any form or platform.
Configure Your Workspace
Customize your workspace, set up your company name, and manage custom fields.
Activity Logs
How to use logs to monitor received webhooks, qualifications, and lead dispatches.