Every endpoint Tormano's UI uses is also available as a REST API for programmatic access.
Creating an API key
Settings > Integrations > API Keys > + New API Key. Give it a name (e.g. "Production Zapier integration"), tick the permissions it should carry, and optionally set an expiry. Save.
Permissions are verb-scoped and enforced on top of your own role:
- read = GET requests
- write = POST / PATCH requests
- delete = DELETE requests
There's no per-entity picker in the create dialog — a key's reach is these verbs across the modules your role already allows. You can also set Expires In (days); leave it blank for a key that never expires.
The key is shown once. Copy it now — you can't retrieve it later. If lost, delete it and create a new one.
Using the key
Pass it as a Bearer token in the Authorization header. Every Tormano key starts with the brvk_ prefix:
Authorization: Bearer brvk_abc123...
The API base path is /api/v1 on your org's host — e.g. https://crm.tormano.com/api/v1/ or https://npcrm.tormano.com/api/v1/.
Common endpoints
GET /api/v1/contacts— list contacts with pagination.POST /api/v1/contacts— create a contact.GET /api/v1/contacts/[id]— fetch one.PATCH /api/v1/contacts/[id]— update.DELETE /api/v1/contacts/[id]— soft-delete.
Same pattern for companies, deals, donations, grants, volunteers, events, activities, custom-fields, and more.
Rate limits
The API tier allows 100 requests per minute. Exceeding it returns a 429 with rate-limit headers telling you when the window resets.
Audit trail
Every API call writes to the audit log with the API key as the actor. Deleting a key disables its access, but the historical audit records survive.
Webhooks vs polling
If you need real-time events, subscribe to outgoing webhooks instead of polling the API — lower latency, lower load, simpler code.