Trust Leads

AI Lead Validation & Enrichment

API Access5 min read

Creating and Using API Keys

How to create, use, and revoke Trust Leads API keys for programmatic enrichment access.

apiapi keyauthenticationlfk_programmatic

Creating an API Key

API keys are available on Pro and Agency plans. To create a key, navigate to /app/api-keys and click 'Create New Key'. Give the key a descriptive name (e.g. 'Production CRM Integration', 'Zapier Automation', or 'Dev Environment') so you can identify it in audit logs.

After clicking 'Create', the full key is shown exactly once — copy it immediately and store it in your secrets manager or environment variable system. After closing the dialog, only the key's prefix and last 4 characters are shown for identification purposes. If you lose the key, you must revoke it and create a new one.

Warning

API keys are shown only once at creation time. Store the key immediately in a secure location such as AWS Secrets Manager, HashiCorp Vault, GitHub Secrets, or your CI/CD platform's environment variables. Never write keys into source code.

API Key Format

All Trust Leads API keys begin with the prefix lfk_ (short for Trust Leads Key), followed by a random 40-character alphanumeric string. Example format: lfk_sk_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0.

The lfk_ prefix makes it easy to detect if a key is accidentally committed to version control or logged. Many secret scanning tools (GitHub Secret Scanning, GitGuardian) can be configured to alert on this pattern. If you detect an exposed key, revoke it immediately from the API Keys page.

Using the API Key

API keys can be passed in requests using either the Authorization header with a Bearer token scheme, or the X-API-Key header. Both are equivalent in terms of authentication. The Authorization header is the more widely-supported standard and is recommended for new integrations.

# Using Authorization header (recommended)
curl -X POST https://api.trustleads.ai/v1/jobs \
  -H "Authorization: Bearer lfk_sk_your_key_here" \
  -H "Content-Type: application/json" \
  -d '{"file_url": "https://your-storage.com/leads.csv"}'

# Using X-API-Key header (alternative)
curl -X GET https://api.trustleads.ai/v1/usage \
  -H "X-API-Key: lfk_sk_your_key_here"

Key Security Best Practices

Use one key per integration or environment. Create a separate key for production, staging, and each third-party tool that connects to Trust Leads. This way, if one key is compromised, you can revoke only that key without affecting other integrations.

Rotate keys periodically as part of your security hygiene — every 90 days is a good cadence for non-critical integrations, every 30 days for high-volume production systems. Use your key management tool to schedule rotation reminders.

  • One key per integration — never share keys between systems
  • Store keys in environment variables, never in source code
  • Rotate keys every 30–90 days
  • Immediately revoke keys suspected of exposure
  • Use descriptive key names for audit trail clarity
  • Never log API keys in application logs

Revoking a Key

To revoke a key, navigate to /app/api-keys, find the key by its name or prefix, and click 'Revoke'. Revocation is immediate — any request using the revoked key will receive a 401 Unauthorized response within seconds.

Revoked keys cannot be re-enabled. If you revoke a key by mistake, you must create a new one and update the credential in all systems that were using the revoked key. For this reason, using descriptive names and maintaining a key inventory helps avoid operational disruptions.

Was this guide helpful?

Related Articles

API Authentication Reference

4 min read · API Access

API Endpoints Reference

6 min read · API Access

Free, Starter, Pro & Agency Plans Compared

5 min read · Billing & Plans

Back to Help Center