API keys
Every call into the MCP server or the public REST API is authenticated with a workspace-scoped API key. This page covers the key format, the scope model, the per-workspace cap, rate limits, and how key activity is audited.
Where to manage keys
Settings → Developer. Visible to ADMIN members only. Workspaces with MANAGER or VIEW_ONLY members will see a "request access from a workspace admin" panel.
The page lists every active key with its prefix, scopes, last-used timestamp, and per-month call count. Use Create key to mint a new one and Revoke to permanently disable it.
Key format
Keys look like ff_LongRandomString — about 51 characters total:
- The
ff_prefix marks it as a FunnelFizz key (useful for secret-scanner regexes). - The first 12 characters (
ff_XXXXXXXXX) are the display prefix — stored in cleartext so the UI can show you which key is which. It's short enough to be useless on its own. - The remaining characters are the secret payload.
We hash the full key with SHA-256 before storing it. We never persist the cleartext anywhere. If you lose it, revoke and mint a new one — we cannot recover it.
The full cleartext is returned exactly once, in the cleartext field of the create response. Copy it immediately into your secret manager.
Scopes
API keys hold one or more of four coarse scopes:
| Scope | What it grants |
|---|---|
setup | Register tracking sites, email senders/domains, integrations, and custom events. |
read | List and read every workspace resource: funnels, metrics, profiles (PRO), reports, audit logs, drilldowns. |
write | Create and edit funnels/splits/extensions, email drafts and campaigns, automations, tracking sites, and integrations. |
admin | Workspace administration: team management, billing changes, API key management, ownership transfer, workspace deletion. |
Scopes are filtered three ways at request time, and a key only gets a tool if the intersection is non-empty:
- Plan —
readandwriterequire HOBBY+;setupandadminwork on FREE. - Role —
VIEW_ONLYcan only mintread;MANAGERaddssetupandwrite; onlyADMINcan mintadmin. - Granted — the explicit set you chose when minting the key.
Plan downgrades take effect immediately — a key with write continues to authenticate but every write tool will respond with a plan-gate error until you re-upgrade. The key itself does not need to be re-minted.
Per-workspace cap
| Plan | Active keys |
|---|---|
| FREE | 1 |
| HOBBY | 3 |
| PRO | 10 |
Revoked keys do not count. Reach the cap and the create endpoint returns plan_key_cap_exceeded. The cap exists so you can't mint N keys to bypass the per-key monthly call quota.
Rate limits
Rate limits apply per key, not per workspace:
| Plan | Per minute | Per month |
|---|---|---|
| FREE | 30 | 5,000 |
| HOBBY | 60 | 50,000 |
| PRO | 300 | 500,000 |
Mutation tools (write + admin scopes) additionally count against the per-day / per-month / per-minute MCP mutation caps from your plan — see PLAN_LIMITS for the exact numbers (mcpMutationsPerMinute, mcpMutationsPerDay, mcpMutationsPerMonth).
The monthly counter resets on the 1st of each UTC month.
Audit log
Every key action is recorded:
- Key lifecycle (
api_key.create,api_key.revoke) lands in the workspace audit log alongside other admin events. - Per-call activity (every authenticated request, with tool name, status, latency, source IP hash) lands in the per-key activity log. Open any key on the Settings → Developer page and click Activity to see the last 200 events.
Both are workspace-scoped and admin-only; team members below the ADMIN role cannot see them.
Safety tiers for MCP
MCP write tools layer a safety tier on top of the scope check:
- T0 — read-only tools (
list_*,get_*, drilldowns). No confirmation step. - T1 — mutations. Require a single-use, 10-minute
target_tokenminted viaconfirm_target. - T2 — destructive admin actions (workspace delete, ownership transfer). Require an emailed one-time code on top of
target_token.
The tier is enforced by the tool itself; the API key's scope is necessary but not sufficient. See safety tiers for the full handshake.
Revoking a key
Settings → Developer → [Key] → Revoke. Revocation is immediate — in-flight requests fail with unauthorized on the next call. Revoked keys can be reused for audit but never re-activated; mint a new one.
If you can't access a working admin session (e.g., your only key was leaked), you can self-revoke from the MCP side with confirmSelf: true so you have a way out without locking yourself out.