Browse all guides
Authentication
The Growee API authenticates with API keys - bearer tokens you create inside the app, scoped to a set of permissions and optionally locked to specific IP addresses.
Creating an API key
- Sign in to Growee and open Settings → Integrations → API Keys.
- Click Create API key and give it a descriptive name (e.g.
billing-sync-production). - Select the permission scopes the key needs. You can only grant permissions you hold yourself.
- Optionally add an IP allowlist - exact addresses (
203.0.113.7) or CIDR ranges (10.0.0.0/8). Leave it empty to allow all IPs. - Copy the key. It is displayed only once.
Using the key
Send the key with every request in the Authorization header:
curl "https://your-company.growee.net/api/restify/employees" \
-H "Authorization: Bearer <your-api-key>"
Permission scopes
Each key carries its own subset of your workspace permissions - the same permission model users have (e.g. Manage employees, Manage timesheets, Manage CRM). At request time the key’s effective access is the intersection of:
- the scopes selected when the key was created, and
- the live permissions of the user who created it.
Consequences worth designing around:
- A key can never do more than its creator. If the creator loses a permission, every key they created loses it too, immediately.
- Endpoints gated by a permission return
403 Forbiddenwhen the key lacks the matching scope. - Give each integration its own key with the fewest scopes that work - you can see per-key usage (
last_used_at) in the API Keys settings page.
IP allowlists
If a key has an IP allowlist, requests from any other address are rejected with 401 Unauthenticated - the same response as an invalid key, so callers on the wrong network learn nothing about the key’s validity. IPv4, IPv6 and CIDR notation are supported.
Workspace (tenant) resolution
Your workspace is identified by the subdomain of the request:
https://acme.growee.net/api/restify/... → the "acme" workspace
If your HTTP client cannot target the subdomain, pass the workspace explicitly:
https://api.growee.net/api/restify/employees?tenant=acme
The authenticated user must be a member of the workspace; otherwise the API responds 403.
Rotating and revoking keys
- Regenerate replaces the secret immediately while keeping the key’s name, scopes and IP allowlist. The old secret stops working the moment you regenerate.
- Delete revokes the key permanently.
Both actions are available in Settings → Integrations → API Keys, or programmatically via the API Keys endpoints.
What API keys cannot do
API keys are for the REST API only:
- They cannot be used as MCP credentials - connect AI tools with an MCP token instead.
- They cannot start browser sessions or OAuth flows.
Questions about the API? Contact support or email support@growee.net.