Skip to main content
Both APIs use bearer-token authentication. Pass the token in the Authorization header on every request: 
Authorization: Bearer YOUR_API_KEY

Where keys live

API keys are issued at the organisation level and scoped to one or more projects. Generate a key in the Spotzee app under Settings → API keys.
Treat API keys as secrets. Never commit a key to source control, never embed in client-side code, and rotate immediately if you suspect a leak.

Key scopes

ScopePurpose
readRead-only access to contacts, segments, journeys, campaigns
writeRead + write for the same resources
secretFull read + write, including export/import and webhook configuration
Pick the least-privilege scope your integration actually needs.

Main API vs Extended API

  • The Main API (apix.spotzee.com/api/client) accepts organisation-scoped API keys.
  • The Extended API (app.spotzee.com/api/ext) accepts the same API keys — Spotzee resolves which surface owns the requested resource.

Errors

A missing or invalid token returns 401 Unauthorized. A valid token without sufficient scope returns 403 Forbidden. See the per-tab error reference: Main API errors, Extended API errors.

Next

Main API reference

All endpoints, request/response shapes.

Extended API reference

Edge utilities and validation.