Attio

CRM

Manage contacts, companies, and relationships in Attio

Attio developer console OAuth setup guide API docs

Installing Attio creates a resource for the upstream API and the OAuth provider Keycard needs to mint tokens for it. Your app calls Keycard’s token exchange, gets back a token scoped to Attio, and uses it to call the API directly. Every exchange is governed by your zone’s identity provider, access policies, and audit log - the OAuth client secret stays inside Keycard.

Scopes

SCOPES

OAuth permissions Keycard requests on install. Override or add scopes in Console.

record_permission:read: default
list_entry:read: default
user_management:read
user_management:read-write
record_permission:read-write
object_configuration:read
object_configuration:read-write
list_entry:read-write
list_configuration:read
list_configuration:read-write
public_collection:read
public_collection:read-write
private_collection:read
private_collection:read-write
comment:read
comment:read-write
task:read
task:read-write
note:read
note:read-write
meeting:read
meeting:read-write
call_recording:read
call_recording:read-write
webhook:read
webhook:read-write
file:read
file:read-write
scim_management:read
scim_management:read-write

Install

INSTALL

Add Attio to your zone so your app can exchange tokens for it.

Step 1 - Start the install in Keycard Console

In your zone’s Keycard Console, go to Resources -> Explore Resources.
Search for Attio and click into the catalog entry.
The install dialog shows a Redirect URI. Copy it - you’ll paste it into Attio in Step 2. Leave this Keycard tab open.

Step 2 - Create the OAuth app for Attio

Create an Attio app

Go to Attio Build
Click New app
Enter a Name for your app (e.g., “Keycard”) and click Create app

Enable OAuth and get credentials

Go to the OAuth tab
Toggle OAuth on to enable it
Copy the Client ID and Client Secret
Under Redirect URIs, click New redirect URI and add the redirect URI provided by Keycard
Under Scopes, click Configure scopes and add the scopes your app needs

Step 3 - Finish the install in Keycard Console

Switch back to the Keycard install dialog you left open in Step 1.
Paste the Client ID and Client Secret from Step 2.
Click Add Attio. The resource is provisioned and your app can start exchanging tokens for it.

Use Attio from your code

USE FROM CODE

Call Attio from your application with a Keycard-issued token scoped to this resource.

After installing Attio, your application exchanges a Keycard-issued access token for a token scoped to this resource. Pass the user’s access token as the subject_token.

Python
TypeScript

from keycardai.oauth import Client, BasicAuth, TokenType
import requests

# Exchange the user's Keycard token for a Attio token.
with Client(
    "https://<zone-id>.keycard.cloud",
    auth=BasicAuth("<your-client-id>", "<your-client-secret>"),
) as client:
    response = client.exchange_token(
        subject_token=user_access_token,
        subject_token_type=TokenType.ACCESS_TOKEN,
        resource="https://api.attio.com",
    )

# Call Attio directly with the exchanged token.
r = requests.get(
    "https://api.attio.com/<endpoint>",
    headers={"Authorization": f"Bearer {response.access_token}"},
)

import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";

const client = new TokenExchangeClient("https://<zone-id>.keycard.cloud", {
  clientId: "<your-client-id>",
  clientSecret: "<your-client-secret>",
});

const response = await client.exchangeToken({
  subjectToken: userAccessToken,
  resource: "https://api.attio.com",
});

// Call Attio directly with the exchanged token.
const res = await fetch("https://api.attio.com/<endpoint>", {
  headers: { Authorization: `Bearer ${response.accessToken}` },
});

See the OAuth SDK → Token Exchange reference for the full client API.

Troubleshooting

TROUBLESHOOTING

Common errors when wiring Attio into your zone.

Error 401: Unauthorized

The access token is invalid or expired. Try re-connecting the provider. If the issue persists, check that:

The OAuth credentials match between Keycard and Attio Build
The integration is still active in your Attio workspace

Error 403: Insufficient scope

The token doesn’t have the required scopes. Verify the scopes in your Attio integration settings match those configured in Keycard Console.

Next steps

NEXT STEPS

What to do once Attio is installed.

Now do this

Call Attio from your code - see the Use Attio from your code section above for Python and TypeScript samples.

Recommended

Decide who can use it - write access policies scoped to the Attio resource so only the right users and apps reach the API.
Watch the calls - every token exchange and downstream call lands in your audit log with user identity, resource, and policy decision.

Optional

Add MCP access too - install the Attio MCP server for AI agents that need Attio’s tools, not just the REST API.