Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.getquikly.com/llms.txt

Use this file to discover all available pages before exploring further.

API keys let you access the Quikly REST API programmatically. Use them with n8n, custom scripts, CI/CD pipelines, or any HTTP client. The same kind of key authenticates the Discovery Copilot browser extension — see Discovery Copilot.

Create an API key

1

Open API key settings

Go to Settings → API Keys in the Quikly app.
2

Click Create API Key

Enter a descriptive name (e.g., “n8n automation” or “Cursor MCP”) and select the scopes you need.
3

Copy the key

The full key is shown only once. Copy it and store it somewhere safe — you cannot retrieve it later.

Scopes

Each API key has one or more scopes that control what it can do:
ScopeAccess levelExample operations
readRead-onlyList proposals, get proposal details, AI rate recommendations
writeWrite accessCreate proposals, share proposals, send messages
read,writeFull accessAll operations (default)
Follow the principle of least privilege. If an integration only needs to read data, create a key with read scope only.

Authenticate requests

Include your API key in the X-API-Key header on every request: 
curl -X GET "https://api.getquikly.com/api/external/v1/me" \
  -H "X-API-Key: qk_your_api_key_here"

Rate limits and quota

API calls are rate-limited per minute and capped monthly depending on your plan:
PlanMonthly quotaPer-minute limit
Starter15 calls10/min
Professional2,000 calls30/min
Agency2,000 calls60/min
Lifetime5,000 calls60/min
When you exceed your monthly quota, the API returns 402 Payment Required. When you exceed your per-minute limit, the API returns 429 Too Many Requests and includes a Retry-After header.

Per end-user limits (X-External-User-Id)

When X-External-User-Id is present (after normalization), the API applies additional limits on top of your account totals:
  • Per end-user per minute: default 12 requests/minute per distinct X-External-User-Id (configurable server-side).
  • Per end-user per UTC calendar month: default min(your plan's monthly API quota, 250) calls for that same X-External-User-Id.
If the end-user slice is exceeded, responses use 402 with error: external_user_quota_exceeded or 429 with error: external_user_rate_limit_exceeded. These limits use in-memory counters (they reset on server restart and on UTC month rollover for the monthly slice). They mitigate one downstream tenant burning an entire API key’s pool.

Per agent/workflow limits (X-Agent-Id)

When X-Agent-Id is present (after normalization), the same pattern applies independently of X-External-User-Id:
  • Per agent per minute: default 12 requests/minute (configurable server-side).
  • Per agent per UTC calendar month: default min(your plan's monthly API quota, 250) calls for that X-Agent-Id.
Errors: 402 with error: agent_id_quota_exceeded or 429 with error: agent_id_rate_limit_exceeded. If both X-External-User-Id and X-Agent-Id are set, all three limits apply: account-wide, per end-user, and per agent.

Integration traceability headers

For external integrations, send these headers on every request:
HeaderRequiredDescription
X-Partner-IdYesIntegration owner identifier (your workspace, app, or company slug).
X-External-User-IdYesEnd-user identifier in your system.
X-Agent-IdYesAgent or workflow identifier that triggered the request.
Requests without these headers can be rejected with 400 Bad Request.
Self-serve API keys are for your own direct integrations. Multi-tenant resale or proxying Quikly as a hidden backend for third-party customers is restricted and can trigger key suspension. See Self-serve vs Partner tier for the right tier for your use case.
Check your current usage with: 
curl -H "X-API-Key: qk_your_api_key_here" \
  "https://api.getquikly.com/api/external/v1/usage"
You can also pre-check before an operation: 
curl -H "X-API-Key: qk_your_api_key_here" \
  "https://api.getquikly.com/api/external/v1/usage/precheck?operation=proposal_create"

Response headers

Every response from the public API includes these attribution headers. Clients can safely ignore them, but they are useful for logging, debugging, and proving that a given piece of data came from Quikly:
HeaderDescription
X-Quikly-SourceAlways quikly.ai. Identifies the response as generated by Quikly’s API.
X-Quikly-EndpointThe exact endpoint path that produced the response.
X-Quikly-Generated-AtISO-8601 UTC timestamp of when the response was generated.
X-Quikly-Api-VersionAPI version that served the request (currently v1).
Removing or masking these headers before relaying Quikly-generated content to end-users is a breach of the Terms of Service §5.3.2 on self-serve plans. Partner integrations can negotiate attribution rules in their agreement.

Manage existing keys

In Settings → API Keys, you can:
  • Rename a key to keep your list organized
  • Deactivate a key temporarily without deleting it
  • Revoke a key permanently — revoked keys cannot be reactivated

Security best practices

Never commit API keys to version control or expose them in client-side code.
  • Use environment variables to store keys in your deployment environment.
  • Rotate keys periodically — create a new key, update your integrations, then revoke the old one.
  • Use the narrowest scope that your integration requires.
  • Set expiration when creating keys for temporary integrations. You can specify expires_in_days during creation.
  • Monitor usage by checking the usage endpoint or the API Keys page in the dashboard. Each key shows its last-used timestamp.
  • Revoke immediately if a key is compromised.

Key format

Quikly API keys follow the format qk_ followed by a random string. When you view keys in the dashboard, only the prefix (e.g., qk_abc1...) is visible — the full key is only shown at creation time.