EmpireVault

Knowledge Base / Platform & Billing / The REST API and API Keys

The REST API and API Keys

Published July 07, 2026

What the API is for

The REST API lets you connect your own systems to EmpireVault - pulling CRM and ticket data into another tool, or pushing records in from somewhere else - without going through the app's screens.

Creating and revoking a key

Navigate to Platform > Integrations > API keys (admin only), click Add key, give it a label, and choose a scope: read_only for GET requests, or read_write to also create and update records. The full key is shown once, right after creation - copy it immediately, since afterwards only a masked hint is shown. To rotate a key's secret, click Regenerate - it swaps in a new secret for that same key immediately, the old secret stops working right away, and the new one is shown once just like at creation. Revoke disables a key immediately and can't be undone; create a new key instead.

Authenticating requests

Requests go to https://app.empirevault.com/api/v1/.... Send the key as a bearer token on every request:

Authorization: Bearer evk_live_...

A missing, invalid, or revoked key gets a 401; a read_only key gets a 403 on any create or update request.

What you can work with

Contacts, companies, and deals support listing, viewing, creating, and updating - deals also have a stage endpoint that moves a deal to a new stage, marks it won or lost, or reopens a closed one. Tickets can be listed, viewed, created, and commented on, including internal-only comments. Attach a note to a contact, deal, or lead, or create a task against a contact, deal, lead, or ticket - both are create-only. Custom fields on contacts, companies, and deals are read and written the same way, keyed by each field's ID from the custom fields endpoint. Ticket custom fields can't be read or written through the API today - a custom_fields value included on a ticket create request is silently ignored, not saved. A ping endpoint confirms which account and key you're using.

Safe retries, and no deletes

Add an Idempotency-Key header with a unique value to a create request, and retrying with the same key and body replays the original result instead of creating a duplicate - useful when a request times out and you're unsure whether it went through. Nothing can be deleted through the API in this version; records can only be listed, viewed, created, and updated.

Paging through lists

Listing endpoints return a page of records with a cursor for the next page - pass it back on your next request to keep paging, and stop once no cursor comes back. You can also filter to records updated since a given time, so you don't have to re-fetch everything on every sync.

Rate limits

Each key is limited to 1,000 requests per hour. Every response includes headers showing your limit, remaining requests, and reset time; going over the limit returns a 429 with a Retry-After header telling you how long to wait.

Was this article helpful?

Powered by EmpireVault