Developers / API
The Developers / API page (/settings/developers) manages the workspace's public API key
used for authenticated access to Gordon CRM's public endpoints.
Public API Key
Each workspace can have one public API key. The key is used to authenticate requests to the public events API and other read-only endpoints.
Key Format
Keys follow the format:
pk_live_[random-string]The pk_live_ prefix indicates a live production key. Only the prefix is stored in the database
after initial generation — the full key is shown once and cannot be retrieved afterward.
Generating a Key
If no key exists, the page displays an empty state with a Generate API Key button. On click:
- A new key is generated server-side
- The full key is displayed in a highlighted box with copy and show/hide controls
- A warning reads: "Copy this key now — it will not be shown again after you leave this page."
Returning to the Page
After leaving the page, only the key prefix is displayed (e.g., pk_live_abc1••••••••). The
full key is irrecoverable — this is a standard security practice.
Regenerating a Key
If a key already exists, a Regenerate Key button is available. Clicking it opens a confirmation dialog:
"This will immediately invalidate your current API key. Any website using the old key will stop receiving events until the new key is configured."
On confirmation, the old key is invalidated and a new key is generated and displayed (one-time view).
API Usage
Endpoint
GET https://app.gordoncrm.com/api/v1/public/eventsAuthentication
Include the API key in the Authorization header:
Authorization: Bearer pk_live_YOUR_KEY_HERESecurity
⚠️ Never expose your live key in client-side browser code. The
pk_live_key must be kept on a server. If you need to fetch events from a client-side application (React, Vue, vanilla JS), create a lightweight proxy on your hosting provider (e.g., a Cloudflare Worker, Netlify Function, or a simple PHP script) that holds the key securely and proxies requests to Gordon CRM.
Usage Patterns
| Pattern | Approach |
|---|---|
| Server-side (Next.js, Node.js, Python, PHP) | Call the API directly with the key in the Authorization header |
| Client-side SPA (Vite, Create React App) | Create a server-side proxy that holds the key. Your frontend fetches from the proxy. |
RBAC
| Operation | Required Role |
|---|---|
| View API key status | All members |
| Generate / Regenerate key | All members |
Related Documentation
- Events → Registration — Full documentation of the
public events API response format, including
display_price,ticket_class_count, and CORS configuration. - Forms → Server / API Key — API key authentication for server-side form submissions (uses a different key type).