Skip to main content
Every request to the Quo API is authenticated with an API key. Keys are created in the Quo app by a workspace owner or admin, and each key has full access to your workspace’s API. This page covers getting a key and keeping it safe.

Get an API key

1

Open API settings

In Quo, go to Workspace Settings → API. You need owner or admin privileges to see this tab. If you don’t have them, this is the moment to go find the person who does.
2

Generate a key

Click Generate API key and name it after what will use it: crm-sync, claude-agent, staging-tests. Spaces aren’t allowed in key names.
One key per integration. When you retire an integration, you can delete its key without wondering what else will break.
3

Store it like a password

The key carries the same reach as an admin in your workspace. Put it in a secrets manager or environment variable. Never commit it to source control, ship it in client-side code, or paste it into a prompt.

Use the key

Send the key in the Authorization header, alongside the required version header: 
curl https://api.quo.com/users?limit=1 \
  --header "Authorization: YOUR_API_KEY" \
  --header "Quo-Api-Version: 2026-03-30"
If the request above returns a 200 with a data array, you’re authenticated. If it doesn’t, the quickstart’s troubleshooting table covers the usual suspects.

Key hygiene

A short list, because every item on it has a story behind it:
  • Separate keys for separate integrations. Keys grant full API access, so the only isolation you get is the isolation you create.
  • Rotate on departure. When someone with access to a key leaves your team, rotate it. Generating a new key and deleting the old one takes under a minute.
  • Keep keys out of prompts. If an AI agent calls Quo on your behalf, the key belongs in the agent’s environment or connector configuration, not in conversation text. More in Build with AI & agents.
  • Deleting is safe. Removing a key affects only the integrations using that key. Every other key keeps working.

Revoke a key

  1. Go to Workspace Settings → API.
  2. Find the key, click the ellipsis (three dots) icon, and select “Delete”.
  3. Access ends immediately. Generate a replacement if the integration should live on.
Lost track of which key does what? That’s the naming convention from step 2 paying for itself. If it’s too late for that, rotate them one at a time and watch what complains.