Overview

Authentication

The trumpet API uses Bearer token authentication. Every request must include a valid API key in the Authorization header.

Bearer Tokens

Include your API key in the Authorization header using the Bearer scheme:

Request Header

Authorization: Bearer trpt_a1b2c3_Ks8dF2m...

Every API key starts with the trpt_ prefix, followed by a short brand identifier and a cryptographically random string.

Example Request

cURL

curl https://trumpet.app/api/v1/pods/new \
  -H "Authorization: Bearer trpt_a1b2c3_your_key_here" \
  -H "Content-Type: application/json"

JavaScript (fetch)

const response = await fetch("https://trumpet.app/api/v1/pods/new", {
  method: "POST",
  headers: {
    "Authorization": `Bearer ${process.env.TRUMPET_API_KEY}`,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    crm_type: "hubspot",
    crm_object: "deals",
    crm_id: "12345",
    template_id: "tpl_abc123",
  }),
});

const data = await response.json();

Python (requests)

import os
import requests

response = requests.post(
    "https://trumpet.app/api/v1/pods/new",
    headers={
        "Authorization": f"Bearer {os.environ['TRUMPET_API_KEY']}",
        "Content-Type": "application/json",
    },
    json={
        "crm_type": "hubspot",
        "crm_object": "deals",
        "crm_id": "12345",
        "template_id": "tpl_abc123",
    },
)

data = response.json()

Scopes

Each API key is issued with one or more scopes that determine which endpoints it can access. If a key lacks the required scope for an endpoint, the API returns a 403 Forbidden response.

Scope	Access
`CreatePod`	Create new Pods via the `POST /v1/pods` endpoint

💡

More scopes coming soon

Additional scopes will be added as new API endpoints become available. Your existing keys will not gain new scopes automatically — you'll need to create new keys or update existing ones.

Key Management

You can manage your API keys from Settings → API Keys in the trumpet dashboard. From there you can:

Create keys

Generate a new key with a name and scopes. The raw key is shown only once.

Revoke keys

Immediately disable a key. The key remains visible in your list for auditing but stops working instantly.

Delete keys

Permanently remove a key from your list. The key is also revoked if it wasn't already.

Authentication Errors

If authentication fails, the API returns one of these responses:

Status	Meaning
`401 Unauthorized`	Missing or invalid API key. Check the Authorization header format and that the key is correct.
`403 Forbidden`	The API key is valid but lacks the required scope for this endpoint.

⚠️

Keep your keys safe

Never commit API keys to version control or include them in client-side code. Use environment variables or a secrets manager instead.