API Keys

API keys let you connect external tools, scripts, and AI assistants to your FanDesk account via the REST API and the MCP protocol (250+ tools).

Creating an API Key

Go to Settings > Integrations
Scroll to the API Keys section
Click Generate Key
Enter a descriptive name that tells you what the key is for:
- "Claude Code" — for AI-assisted development
- "Claude Desktop" — for the desktop AI assistant
- "Zapier" — for workflow automation
- "CI/CD Pipeline" — for deployment scripts
Click Generate
Copy the key immediately — it will not be shown again after you close the dialog

Store the key in a secure location (a password manager, an environment variable, or your OS keychain). Do not paste it into files that get committed to git.

Key Format

FanDesk API keys always start with fdk_:

fdk_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0

Keys are 40+ characters long and randomly generated. Each key is cryptographically unique.

Key Permissions

API keys inherit the full permissions of the user who created them:

Area	Access Level
Projects & Tasks	Only projects you are a member or lead of
Pages	Organization pages, your own pages, and pages shared with you
Mail & Calendar	Your connected Google accounts only
Chat	Channels you are a member of
Incidents	All incidents visible to your organization
Contacts	Your organization's contact directory
Drive	Your connected Google Drive accounts
Forms	Forms in your organization

Keys cannot access anything you cannot access yourself in the app. No API key has elevated privileges.

Admins do not get admin-level API keys by default — standard permissions apply.

Using Keys with MCP

The primary use case for API keys is connecting AI assistants to FanDesk via the MCP (Model Context Protocol). This gives your AI assistant access to 250+ FanDesk tools.

Connect Claude Code

Run this command in your terminal, replacing the placeholders with your actual domain and key:

claude mcp add fandesk   --transport streamable-http   --url https://your-fandesk-domain.com/mcp   --header "Authorization: Bearer fdk_your_key_here"

Connect Claude Desktop

Add this to your Claude Desktop configuration file (claude_desktop_config.json):

{
  "mcpServers": {
    "fandesk": {
      "url": "https://your-fandesk-domain.com/mcp",
      "headers": {
        "Authorization": "Bearer fdk_your_key_here"
      }
    }
  }
}

Connect Any MCP Client

Any MCP-compatible client can connect using:

Transport: Streamable HTTP (or SSE for older clients)
URL: https://your-domain.com/mcp
Auth: HTTP header Authorization: Bearer fdk_your_key

Using Keys with the REST API

Authenticate REST API requests by including your key in the Authorization header:

curl -H "Authorization: Bearer fdk_your_key_here"      https://your-fandesk-domain.com/api/tasks

All API endpoints that require authentication accept Bearer token auth.

Managing Your Keys

Viewing Keys

Go to Settings > Integrations to see all your API keys. For security, only the key prefix is shown in the list (e.g., fdk_a1b2c3...). You cannot retrieve the full key — if lost, revoke and generate a new one.

Revoking a Key

Find the key in Settings > Integrations
Click the trash icon next to it
Confirm the revocation
The key stops working immediately — any integration using it will get 401 Unauthorized errors

Revoking is permanent. If you revoke by mistake, generate a new key and update your integrations.

Security Best Practices

Generate one key per integration — Do not use one key for everything. If a key is compromised, revoking it should only affect one integration.

Use descriptive names — In 6 months, you should be able to tell from the name exactly what integration each key is for.

Never commit keys to git — Use environment variables instead:

# In your .env file (add .env to .gitignore)
FANDESK_API_KEY=fdk_your_key_here

# In your code
api_key = os.environ["FANDESK_API_KEY"]

Rotate keys periodically — Every 90 days, generate a new key, update your integrations, then revoke the old key. This limits exposure if a key was ever intercepted.

Revoke immediately when no longer needed — End-of-project, offboarding a team member who had a key, or decommissioning a service.

How Keys Are Stored

FanDesk stores only a cryptographic hash of your key, not the key itself. This means:

We cannot see your key after it is generated
Even a database compromise would not expose your raw key
All actions taken via a key are logged and attributed to your user account

Next: See all available MCP tools in MCP Tools.