Getting started

Authentication

Every request to the FundingScout API uses a bearer token sent via the standard Authorization header.

The header

Authorization: Bearer fs_live_<your_key>

That's the entire auth surface — no signing, no OAuth flows, no timestamps. Send the bearer token on every request.

Getting a key

1. 1. Have a Pro subscription. Free and Basic users hit 403 on every endpoint. Upgrade at Settings.
2. 2. Go to Settings → API Keys and click Create new key.
3. 3. Name the key (e.g. hubspot-prod-sync) and copy the full token shown in the modal — we only show it once.
4. 4. Store it in your secrets manager (1Password, AWS Secrets Manager, your platform's env-var system). Treat it like a password.

Key format

Keys always start with fs_live_ followed by 32 base-62 characters. The first 12 characters (e.g. fs_live_a1b2) are stored as a prefix for UI display and quick lookup; the full key is stored only as a SHA-256 hash. Even FundingScout staff can't recover the plaintext.

Revoking a key

At Settings → API Keys click Revoke next to any key. Revocation is immediate — the next request with that key returns 401. Revoked keys are kept in the database (never deleted) so audit logs remain valid.

Multiple keys per user

One Pro account can have many keys (e.g., one per integration: Salesforce sync, HubSpot sync, internal data warehouse, dev/staging). All keys share the same underlying CRM data — rotating a key doesn't lose your synced accounts/contacts. The synced data is scoped to your account, not to a specific key.

Same key for every API surface

The CRM Match API, the MCP integration (for Claude Code and other MCP-compatible clients), and any future FundingScout API surface all use the same fs_live_ keys. One credential, every product.

Common mistakes