Every endpoint Tormano's UI uses is also available as a REST API for programmatic access.
Creating an API key
Settings > Integrations > API Keys > + New API Key. Give it a name (e.g. "Production Zapier integration"), pick a scope (read-only vs read-write), and pick which entities it can access (contacts only, full access, etc.). Save.
The key is shown ONCE. Copy it now — you can't retrieve it later. If lost, revoke and create a new one.
Using the key
Pass as a Bearer token in the Authorization header:
Authorization: Bearer trm_live_abc123...API base URL is https://yourorg.tormano.com/api/v1/ (or crm.tormano.com / npcrm.tormano.com depending on your subdomain).
Common endpoints
GET /contacts— list contacts with pagination.POST /contacts— create a contact.GET /contacts/[id]— fetch one.PATCH /contacts/[id]— update.DELETE /contacts/[id]— soft-delete.
Same pattern for companies, deals, donations, grants, volunteers, events, activities, custom-fields, etc.
Rate limits
100 requests per minute per key. 429 response when exceeded with a Retry-After header.
Audit trail
Every API call writes to the audit log with the API key name as the actor. Revoking a key disables all its activity but the historical audit records survive.
Webhooks vs polling
If you need real-time events, use outgoing webhooks instead of polling the API. Lower latency, lower load, simpler code.