Skip to main content
Every request must include an API key as a Bearer token:
curl https://app.gaintrace.com/api/v1/companies \
  -H "Authorization: Bearer gt_live_your_key_here"
Create and manage keys in Settings → API Keys. A key is shown once at creation — store it securely.

Key types

Secret keys — gt_live_

Full server-side keys. Use only from your backend, never in a browser. Gated by the workspace’s API-v1 entitlement.

Publishable keys — gt_pub_

Client-safe, write-only keys for browser ingest. Origin-pinned and CORS-enabled, with only the write:ingest scope. Safe to ship in front-end code.

Scopes

Each key is granted a set of scopes. A request needs the scope its endpoint requires, or it returns 403 Insufficient scope. A key with the * scope passes any check.
EndpointMethodRequired scope
/companies, /companies/{id}GETread:companies
/companies, /companies/{id}POST, PATCHwrite:companies
/contacts, /contacts/{id}GETread:contacts
/contacts, /contacts/{id}POST, PATCH, DELETEwrite:contacts
/signals, /signals/{id}GETread:signals
/signals, /signals/batch, /signals/{id}POST, PATCH, DELETEwrite:signals
/webhooks, /webhooks/{id}GETread:webhooks
/webhooks, /webhooks/{id}, /webhooks/{id}/testPOST, PATCH, DELETEwrite:webhooks
/eventsPOSTwrite:events or write:ingest
/metric-eventsPOSTwrite:events
Grant only what a key needs. Other scopes exist for surfaces not yet on the public API (for example read:revenue, read:health, read:deals).

Errors

StatusMeaning
401Missing Authorization header, or an expired, revoked, or invalid key.
403The key lacks the required scope, or API v1 is not enabled for the workspace.
429The key’s rate limit was exceeded. Back off and retry.
Treat gt_live_ keys like passwords. If one leaks, revoke it in Settings → API Keys — validation checks revocation on every request.
Last modified on July 6, 2026