Quick answer

Settings → API Keys → Create Token. Give it a name, pick scope (read-only or read/write), and click Create. Winnr generates a token starting with "wnr_" — copy it immediately, it won't be shown again. Add the token as Authorization Bearer wnr_... to API requests. Revoke any time from the same page.

The API page showing the API Keys table with a token, read/write permissions, and a Create Token button

Token format

Every Winnr token starts with wnr_, followed by your account ID and then a random string. The prefix helps identify Winnr tokens in logs or secret managers vs. other services.

Full format: wnr_<account_id>_<24 random alphanumeric chars>

Scope choices

Read-only — safe default for scripts that only pull data. Can list every resource type, read metrics, and download exports. Cannot create, modify, or delete anything.

Read/write — full CRUD across the API. Required for automation that provisions domains, creates mailboxes, or enables warming.

Don't pick read/write unless you need it. Compromised read-only tokens can leak data; compromised read/write can also delete resources.

Storage best practices

Revoking a token

Settings → API Keys → find the token → three-dot menu → Revoke.

Revocation is immediate. Any API calls using the token from that moment on will fail with 401 Unauthorized. Update your apps first, then revoke.

What's next

Step-by-step

  1. 1. Open API Keys settings

    Settings → API Keys tab.

  2. 2. Click Create Token

    A dialog opens.

  3. 3. Name the token

    Choose a descriptive name — usually the app or script that will use it (e.g., "AI SDR pipeline", "weekly export cron").

  4. 4. Pick a scope

    Read-only can list domains, mailboxes, and metrics. Read/write can create, update, and delete. Pick read-only when the token is going in a script that only pulls data.

  5. 5. Create and copy the token

    Winnr generates and displays it once. Copy immediately into your secret store. Refreshing or navigating away means the token is unrecoverable — you'd need to create a new one.

Frequently asked questions

What if I lose the token?

You can't recover it. Create a new token, update your app to use the new one, and revoke the old one.

How many tokens can I create?

No hard limit. Best practice — one token per app/use case so revocation is scoped.

Do tokens expire?

Not by default. Set an expiration date at creation if you want auto-expiry (useful for temporary integrations).

Are tokens rate-limited per token or per account?

Per account. All tokens on your account share the plan's rate limit (300/min Startup, 500/min Enterprise).

What if a token is compromised?

Revoke immediately (Settings → API Keys → three-dot menu → Revoke). Create a new token, roll the old one out of any deployed apps.

Was this article helpful? Yes · No