Authentication
Generate API keys, use Bearer token authentication, and manage key permissions.
Generating an API key
- 1Go to Settings → Developer → API Keys.
- 2Click Create API Key.
- 3Enter a descriptive name (e.g. "Zapier Integration", "Custom CRM Sync", "Internal Dashboard").
- 4Select a permission level: Read-only, Read-write, or Admin.
- 5Click Generate. The key is shown once — copy it now and store it securely.
- 6The key appears in the list as a masked value. It cannot be retrieved again, but can be revoked at any time.
Using the key in API requests
Include the key as a Bearer token in the Authorization header of every request:
# Required on every request:
Authorization: Bearer frth_live_xxxxxxxxxxxxxxxxxxxxxxxx
# Example cURL:
curl https://getfrith.com/api/v1/matters \
-H "Authorization: Bearer frth_live_xxxx" \
-H "Content-Type: application/json"
Permission levels
GET requests only. Can read matters, contacts, invoices, time entries, documents, and tasks. Cannot create, update, or delete anything.
GET, POST, and PATCH requests. Can read and create/update most resources. Cannot delete records or manage users.
Full access including DELETE, user management, and organisation settings. Use with caution — only assign to trusted automated systems.
Production vs test keys
- Production keys begin with frth_live_ — operations affect real data.
- Test keys begin with frth_test_ — operate in sandbox mode. All operations succeed without modifying production data. Sandbox data resets every 24 hours.
- Generate a test key from Settings → Developer → API Keys → Create Test Key.
- Always develop and test using frth_test_ keys before switching to frth_live_.
Never commit API keys to source control or include them in client-side code. Store keys in environment variables or a secrets manager. Revoke any key you suspect has been exposed immediately: Settings → Developer → API Keys → Revoke.