API key permissions update

We've redesigned how API key permissions work to give you precise control over what each key can access.

You can now set read and write permissions independently for each resource type — donations, supporters, events, recurring plans, and Fundraisers. This replaces the previous bundled permission model.

API Key creation window in the Dashboard

A single API key can now have different permissions for Live and Test data simultaneously. For example, one key could have full access to Test data for development while having read-only access to Live data.

All new API keys require you to specify the livemode parameter in every request (as true or false), even if your key only has permissions for one mode.

The following changes may affect how you use the API.

You can no longer generate Donor Portal access links. If you need to test this functionality, you can safely use it with real supporters in Live mode — the links expire after 1 minute and must be used immediately, so there's no risk of unintended access.

API keys created before this release cannot be edited in the Dashboard. They continue to work with their original permissions, but you'll need to create a new key to use the new granular permissions.

Existing API keys will continue to work as before for the next 6 months, after which they will be deactivated. Any operation available through your old permissions remains accessible during this period.