Browse documentation

API keys

One key mechanism authenticates the REST API, the MCP server, and Zapier. Here is how to create one, what it can do, and how revoking it works.

Updated 2026-07-06

An API key is how anything outside your browser session — a script, Zapier, an AI assistant — proves it's allowed to act on your workspace. NeoKivo has one key mechanism; the REST API, the MCP server, and Zapier all use it.

Create a key

  1. 1Open Settings → Integrations. Only the workspace owner can create a key.
  2. 2Under API access, name the key and create it — or use the Zapier or AI assistants (MCP) cards, which create one for you with a matching name.
  3. 3Copy the key. It starts with nk_live_ and is shown only once.

The key is shown once and stored only as a SHA-256 hash — NeoKivo cannot show it again. If you lose it, revoke it and create a new one.

What a key can do

A key acts as the workspace member who created it — same role permissions, same deal visibility, as if that person were using the app themselves. If its creator can't create deals, neither can their key. If a deal is private to someone else, the key can't see or touch it either.

If a key's creator later leaves the workspace — or on an old key with no recorded creator — the key stops working on every request, reads included. NeoKivo does not fall back to full workspace access: it fails closed with a 403 and the message "This API key cannot act: its creator is no longer a member of this workspace. Create a new API key." The fix is the same either way — create a new key as a current member.

The same orphan rule applies to the MCP server, which authenticates with these keys too. Writes are also blocked separately, with a 402, when the workspace itself is read-only (a trial that ended) — that check runs after the orphan check, so an orphaned key always gets the 403, never a misleading 402.

Revoking a key

In Settings → Integrations, the owner can revoke any key from the list. Revoking is immediate — the next request with that key gets a 401 with "Invalid API key," whether it comes from a script, Zapier, or an MCP client.

DetailValue
Prefixnk_live_
Shown in the keys listnk_live_ plus 6 more characters, then "…" — enough to recognize it
StoredSHA-256 hash of the full key only — the plaintext is never persisted
Who can create or revokeThe workspace owner only
Last usedStamped on each authenticated request, best-effort

See the REST API for what a key can call, and connect Claude and other AI assistants (MCP) for the MCP-specific setup.

Spotted something out of date? Email hello@neokivo.com.