Attio workspace API keys let your workflows authenticate at the workspace level instead of through a person's account. The key is created by a workspace admin, belongs to the workspace rather than any individual, and does not expire — no one person's OAuth consent to lapse, and access can be revoked at any time by deleting the key.
Prerequisites
You need an Attio workspace admin. Only admins can create and manage access tokens.
Creating the API Key
Open Workspace settings in Attio (dropdown beside your workspace name) and go to the Developers tab
Click New access token and give it a name (e.g. Sim Integration)
Select the scopes the key needs. To match everything Sim's Attio blocks can do, grant:
record_permission (read-write)
object_configuration (read-write)
list_configuration (read-write)
list_entry (read-write)
note (read-write)
task (read-write)
comment (read-write)
user_management (read)
webhook (read-write)Record and object tools need record_permission plus object_configuration; list tools need list_configuration and list_entry; note, task, comment, and webhook tools need their respective scopes; member lookups need user_management:read.
Copy the key and store it somewhere safe.
Scopes are editable after creation — if a workflow later fails with a permission error, an admin can add the missing scope to the existing key in the Developers settings without rotating it.
The API key is bearer credentials for your Attio workspace. Treat it like a password — do not commit it to source control or share it publicly. Sim encrypts the key at rest.
Adding the API Key to Sim
Open your workspace Settings and go to the Integrations tab
Search for "Attio Service Account" and click it, then click Add to Sim and choose Add API key
Paste the API key and optionally set a display name and description
Click Add API key. Sim verifies the key by calling Attio's /v2/self endpoint — if it fails, you'll see a specific error explaining what went wrong.
The key is encrypted before being stored.
A key with missing scopes still validates successfully — the validation endpoint is reachable with any live key. Check the scopes granted to the key in Attio: tools whose scopes are missing will fail at run time with permission errors.
Using the Service Account in Workflows
Add an Attio block to your workflow. In the credential dropdown, your Attio service account appears alongside any OAuth credentials. Select it and configure the block as you normally would.
The block calls the Attio API (api.attio.com/v2) with the key as a standard Bearer credential, with whatever scopes the admin granted the key.