Inbound Integration Keys

Inbound integration keys let you send conversion events to CleanClicks from external systems: CRMs, marketing automation platforms, webhook-based integrations, or custom backends.

Accessing Inbound Integration Keys

1. Go to Configuration in the sidebar
2. Select your domain
3. Click the Inbound Integration Keys tab

Plan Limits

Creating an Inbound Integration Key

1. Click Create Inbound Integration Key
2. Give it a descriptive name (e.g., "Zapier Integration," "CRM Webhook," "Backend Server")
3. Click Create

The full inbound integration key is displayed once. Copy it immediately and store it securely. After you close the dialog, you'll only see a masked version.

Inbound integration keys use a cc_ prefix followed by a random string. Example: cc_a1b2c3d4e5f6...

Using an Inbound Integration Key

Include the inbound integration key in the X-CC-Api-Key header when sending events to the CleanClicks inbound endpoint:

POST https://cleanclicks.yourdomain.com/__cc/inbound
Content-Type: application/json
X-CC-Api-Key: cc_your_api_key_here

{
  "email": "customer@example.com",
  "event": "purchase",
  "value": 99.99,
  "currency": "USD"
}

See Inbound Webhooks for the full API reference and payload format.

Managing Inbound Integration Keys

Viewing Keys

The Inbound Integration Keys tab shows all keys for the selected domain:

• Name — the label you gave it
• Key prefix — first few characters for identification (full key is masked)
• Created date
• Last used — when the key was last used to authenticate a request
• Status — Active or Revoked

Revoking a Key

If a key is compromised or no longer needed:

1. Find the key in the list
2. Click Revoke
3. Confirm

Revoked keys immediately stop working. Any system using that key will receive authentication errors.

Restoring a Revoked Key

If you revoked a key by mistake, you can restore it:

1. Find the revoked key
2. Click Restore

The same key becomes active again with the same value. No need to update your integrations.

Deleting a Key

Permanently delete a key by clicking Delete. This is irreversible, unlike revoking.

Security Best Practices

• One key per integration. If you use Zapier and a custom backend, create separate keys. This lets you revoke one without affecting the other.
• Never put Inbound integration keys in client-side code. Inbound integration keys are for server-to-server communication only. They should never appear in JavaScript, HTML, or any code that runs in a browser.
• Rotate keys periodically. Create a new key, update your integration, then revoke the old key.
• Use descriptive names. When you need to revoke a key six months from now, you'll want to know which integration it belongs to.

Next: Connections Overview