Attio API Keys

Attio workspace API keys let your workflows authenticate at the workspace level instead of through a person's account. The key is created by a workspace admin, belongs to the workspace rather than any individual, and does not expire — no one person's OAuth consent to lapse, and access can be revoked at any time by deleting the key.

Prerequisites

You need an Attio workspace admin. Only admins can create and manage access tokens.

Creating the API Key

Open Workspace settings in Attio (dropdown beside your workspace name) and go to the Developers tab

Click New access token and give it a name (e.g. Sim Integration)

Select the scopes the key needs. To match everything Sim's Attio blocks can do, grant:

record_permission     (read-write)
object_configuration  (read-write)
list_configuration    (read-write)
list_entry            (read-write)
note                  (read-write)
task                  (read-write)
comment               (read-write)
user_management       (read)
webhook               (read-write)

Record and object tools need record_permission plus object_configuration; list tools need list_configuration and list_entry; note, task, comment, and webhook tools need their respective scopes; member lookups need user_management:read.

Copy the key and store it somewhere safe.

Scopes are editable after creation — if a workflow later fails with a permission error, an admin can add the missing scope to the existing key in the Developers settings without rotating it.

The API key is bearer credentials for your Attio workspace. Treat it like a password — do not commit it to source control or share it publicly. Sim encrypts the key at rest.

Adding the API Key to Sim

Open your workspace Settings and go to the Integrations tab

Search for "Attio Service Account" and click it, then click Add to Sim and choose Add API key

Paste the API key and optionally set a display name and description

Click Add API key. Sim verifies the key by calling Attio's /v2/self endpoint — if it fails, you'll see a specific error explaining what went wrong.

The key is encrypted before being stored.

A key with missing scopes still validates successfully — the validation endpoint is reachable with any live key. Check the scopes granted to the key in Attio: tools whose scopes are missing will fail at run time with permission errors.

Using the Service Account in Workflows

Add an Attio block to your workflow. In the credential dropdown, your Attio service account appears alongside any OAuth credentials. Select it and configure the block as you normally would.

The block calls the Attio API (api.attio.com/v2) with the key as a standard Bearer credential, with whatever scopes the admin granted the key.

Common Questions

No — Attio access tokens do not expire. They stay valid until a workspace admin deletes them, which revokes access immediately.
No. Only workspace admins can create and manage access tokens. Ask a workspace admin to create the key for you.
The key is missing a scope. Validation only checks that the key is alive, not which scopes it carries. Have an admin open the key in Workspace settings → Developers and add the missing scope — scopes are editable after creation, no rotation needed.
No. Attio has a single API host and the key itself identifies the workspace — the key is all the credential needs.
Create a new access token with the same scopes in Attio, update the credential in Sim with the new key, and once it's working, delete the old token.
The key belongs to the workspace, not the creating admin's user account — it keeps working regardless of who created it, until it's deleted.

On this page