FieldCamp API Authentication: fc_live API Keys and Scopes

Q: Why did my webhook registration return 403 Forbidden?

Most likely the key is missing the integrations:write scope. The older webhooks:manage name is not in use - re-issue the key with integrations:write selected and try again.

Q: What scope do I need to update a visit's status from the field?

You need visits:write. Read-only mobile integrations only need visits:read, but anything that posts arrival time, completion, or notes back to FieldCamp must include visits:write.

Q: Does the X-Api-Key header have case-sensitivity quirks?

The header name is case-insensitive per the HTTP spec - X-Api-Key, X-API-Key, and x-api-key all match. The key value itself is case-sensitive and must include the fc_live_ prefix exactly as copied from Settings.

Set up FieldCamp API authentication with fc_live keys, X-Api-Key headers, and granular scopes for secure, role-based integrations.

FieldCamp API authentication uses self-serve API keys prefixed with fc_live_ that you create, scope, and rotate directly from your workspace. Each key is bound to your tenant, carries a granular set of scopes, and can be sent on every request as either an Authorization: Bearer token or the equally first-class X-Api-Key header — so your integrations only do what you intend, however your HTTP client prefers to send credentials. This guide walks dispatchers, owners, and developers through generating keys, picking scopes, signing requests, and rotating credentials before they leak. For an overview of every endpoint these keys unlock, start with the FieldCamp API reference.

If you previously received a long-lived JWT from FieldCamp support, it still works — but new integrations should use self-serve fc_live_ keys created through /api/v1/api-keys so you keep full control over scopes and rotation.

How FieldCamp API keys work

Every API key is a string that starts with fc_live_ followed by a random secret. The prefix tells you the environment at a glance, and the secret half is what authenticates the request. Keys are tied to:

A tenant — your company and branch context, set automatically when you create the key while signed in.
A set of scopes — what the key is allowed to read or write (for example, clients:read, jobs:write, invoices:read).
An optional expiry — short-lived keys are encouraged for partner integrations and one-off scripts.
A last-used timestamp — visible in Settings so you can spot stale or compromised keys quickly.

Because keys carry scopes, a dispatcher building a small automation can issue a read-only key for Job management without ever touching billing data in Creating invoices.

Create a self-serve fc_live API key

Open API keys in Settings

Sign in to FieldCamp and open Settings → Developer → API Keys. Only team roles with admin permissions can create or revoke keys.

Click Create key and name it

Use a name that describes the integration ("Zapier — Job Sync", "Internal BI — Read"). Names make rotation painless six months from now when you're staring at a long list.

Select scopes

Pick the smallest set of scopes that lets the integration do its job. You can always add more later; you cannot un-leak a key that had too many.

Copy the fc_live secret once

After creation, FieldCamp shows the full fc_live_... secret a single time. Store it in your secrets manager. If you lose it, revoke and create a new one.

Confirm with a test call

Send GET /api/v1/company-info (see the Company Info resource for the response shape, then explore the data in your Analytics overview) to verify the key, scopes, and tenant are correct.

Send authenticated requests

FieldCamp accepts your fc_live_ key two equally supported ways. Pick whichever fits your HTTP client and stack — both are first-class and route through the same authentication pipeline.

Authorization: Bearer <key> — the standard OAuth-style header most SDKs send by default.
X-Api-Key: <key> — a header-only alternative that avoids the Bearer prefix, ideal for serverless gateways, low-code platforms, and tools that don't expose the Authorization header cleanly.

The X-Api-Key header is case-insensitive on the header name itself — X-API-Key, x-api-key, and X-Api-Key all work — but the key value must match exactly, including the fc_live_ prefix.

# Authorization bearer (recommended for most SDKs)
curl https://api.fieldcamp.ai/api/v1/company-info \
  -H "Authorization: Bearer $FIELDCAMP_API_KEY"

# X-Api-Key header (first-class alternative)
curl https://api.fieldcamp.ai/api/v1/company-info \
  -H "X-Api-Key: $FIELDCAMP_API_KEY"

import axios from 'axios';

const fc = axios.create({
  baseURL: 'https://api.fieldcamp.ai',
  headers: {
    Authorization: `Bearer ${process.env.FIELDCAMP_API_KEY}`,
    'Content-Type': 'application/json',
  },
  timeout: 30_000,
});

const { data } = await fc.get('/api/v1/company-info');
console.log(data);

import os, requests

key = os.environ["FIELDCAMP_API_KEY"]

# Either header works — pick one
r = requests.get(
    "https://api.fieldcamp.ai/api/v1/company-info",
    headers={"X-Api-Key": key},
    timeout=30,
)
r.raise_for_status()
print(r.json())

Always set Content-Type: application/json for write requests. For file uploads on job attachments, use multipart/form-data instead. Never send both Authorization and X-Api-Key on the same request — if they disagree, FieldCamp rejects the call with 401.

Pick the right scopes

Scopes are namespaced as resource:action. The most common combinations match common workflows in FieldCamp's lead-to-payment workflow:

Scope	What it grants
`clients:read` / `clients:write`	List, fetch, create, and update clients managed through your CRM.
`jobs:read` / `jobs:write`	Read and create jobs used by your dispatch team.
`visits:read` / `visits:write`	Read and update individual visits inside a job — required for mobile, dispatch, and route-optimization integrations.
`invoices:read` / `invoices:write`	Pull or push invoice data into accounting tools.
`items:read` / `items:write`	Manage products and services in your price book.
`integrations:write`	Register and rotate webhook endpoints and other integration connections.
`api-keys:manage`	Create and revoke other API keys — restrict this to admin automation only.

The webhook management scope is integrations:write, not the older webhooks:manage name you may have seen in early-access docs. If a request returns 403 Forbidden when you register a webhook, re-issue the key with integrations:write selected.

Avoid creating a single "do everything" key for production. A leaked read-only key is recoverable; a leaked write key with api-keys:manage is not.

Choose between Authorization and X-Api-Key

Both headers are equally supported, but each is better suited to certain situations. Use this guide to pick:

Pick Authorization: Bearer when you're using an off-the-shelf SDK (Axios, Requests, OkHttp), when you might also call other Bearer-token APIs from the same client, or when you want consistent observability with standard logging stacks that parse the Authorization header.
Pick X-Api-Key when you're calling FieldCamp from a serverless platform that strips or rewrites Authorization, from a low-code tool like Zapier or Make where the Bearer prefix would need manual concatenation, or from a reverse proxy that already uses Authorization for its own gateway-level auth.

For dispatch and mobile integrations that touch the dispatch calendar, X-Api-Key is often easier because mobile networking libraries sometimes mangle the Authorization header during cellular handoffs.

Manage keys via the API

You can also script key management with the same fc_live_ credentials that have the api-keys:manage scope. The /api/v1/api-keys resource supports listing, creating, and revoking keys so you can rotate them in CI pipelines.

# List existing keys (returns metadata, never the full secret)
curl https://api.fieldcamp.ai/api/v1/api-keys \
  -H "X-Api-Key: $FIELDCAMP_ADMIN_KEY"

# Revoke a key by id
curl -X DELETE https://api.fieldcamp.ai/api/v1/api-keys/key_123 \
  -H "Authorization: Bearer $FIELDCAMP_ADMIN_KEY"

This pairs nicely with Workflow automation: trigger a scheduled rotation, store the new key in your secrets vault, and revoke the previous one once deploys complete.

Rotate, revoke, and audit

Treat each fc_live_ key like a credential, because it is. Build the habit early:

Rotate keys at least every 90 days, and immediately if a teammate with access leaves.
Use one key per integration so revoking one never breaks the others.
Keep an audit trail by tagging each key with the integration name and owner.
Pair sensitive write keys with IP allowlists in your reverse proxy.
Review the Last used column monthly and revoke any key that hasn't been called in 60 days.

If you suspect a leak, revoke the key in the dashboard right away. New requests using that secret will return 401 Unauthorized immediately, regardless of which header carried it. See API errors for the full list of authentication responses, and use idempotency keys on retries so a replayed write never duplicates work.

Troubleshoot authentication errors

A few patterns explain almost every failing request:

401 Unauthorized — The key is missing, revoked, expired, or both Authorization and X-Api-Key were sent with conflicting values. Make sure there's exactly one space between Bearer and the key, and that you're only sending one credential header per request.
403 Forbidden — The key is valid but the requested scope is missing. The most common version of this is registering a webhook without integrations:write, or updating visits without visits:write. Re-issue the key with the right scope.
404 Not Found — The resource exists in a different tenant. API keys never cross tenants; check the branch you signed in with when creating the key.
429 Too Many Requests — You've hit rate limits; back off using the Retry-After header.

FAQs

Can I send both Authorization and X-Api-Key in the same request?

No. If both headers are present and disagree, FieldCamp rejects the request with 401 Unauthorized. Pick one credential header per call.

Why did my webhook registration return 403 Forbidden?

Most likely the key is missing the integrations:write scope. The older webhooks:manage name is not in use — re-issue the key with integrations:write selected and try again.

What scope do I need to update a visit's status from the field?

You need visits:write. Read-only mobile integrations only need visits:read, but anything that posts arrival time, completion, or notes back to FieldCamp must include visits:write.

Does the X-Api-Key header have case-sensitivity quirks?

The header name is case-insensitive per the HTTP spec — X-Api-Key, X-API-Key, and x-api-key all match. The key value itself is case-sensitive and must include the fc_live_ prefix exactly as copied from Settings.

Can I scope a key to a single branch or location?

Yes. When you create the key while inside a specific branch context, the key is bound to that tenant. Switch branches before issuing the key if you want a different one.

For deeper integration questions, the API quickstart walks through making your first end-to-end call, and the changelog tracks scope and endpoint changes.

API quickstart

Make your first authenticated call to FieldCamp in under 10 minutes.

Webhooks

Push events from FieldCamp into your own systems with signed payloads.