HomeHelp CenterIntegrations & API

REST API and API keys

Programmatic access to your Tormano data.

3 min read · Updated Jul 4, 2026

Every endpoint Tormano's UI uses is also available as a REST API for programmatic access.

Creating an API key

Settings > Integrations > API Keys > + New API Key. Give it a name (e.g. "Production Zapier integration"), tick the permissions it should carry, and optionally set an expiry. Save.

Permissions are verb-scoped and enforced on top of your own role:

  • read = GET requests
  • write = POST / PATCH requests
  • delete = DELETE requests

There's no per-entity picker in the create dialog — a key's reach is these verbs across the modules your role already allows. You can also set Expires In (days); leave it blank for a key that never expires.

The key is shown once. Copy it now — you can't retrieve it later. If lost, delete it and create a new one.

Using the key

Pass it as a Bearer token in the Authorization header. Every Tormano key starts with the brvk_ prefix:

Authorization: Bearer brvk_abc123...

The API base path is /api/v1 on your org's host — e.g. https://crm.tormano.com/api/v1/ or https://npcrm.tormano.com/api/v1/.

Common endpoints

  • GET /api/v1/contacts — list contacts with pagination.
  • POST /api/v1/contacts — create a contact.
  • GET /api/v1/contacts/[id] — fetch one.
  • PATCH /api/v1/contacts/[id] — update.
  • DELETE /api/v1/contacts/[id] — soft-delete.

Same pattern for companies, deals, donations, grants, volunteers, events, activities, custom-fields, and more.

Rate limits

The API tier allows 100 requests per minute. Exceeding it returns a 429 with rate-limit headers telling you when the window resets.

Audit trail

Every API call writes to the audit log with the API key as the actor. Deleting a key disables its access, but the historical audit records survive.

Webhooks vs polling

If you need real-time events, subscribe to outgoing webhooks instead of polling the API — lower latency, lower load, simpler code.