Loading tutorials…
Loading tutorials…
Attio's API is the under-rated power of the platform. A clean REST surface, webhooks for every event, and OAuth for partner apps. Used right, it makes Attio the spine of your stack. Used wrong, it leaks tokens, double-writes records, and spirals rate-limit costs. Here is the discipline.
Who this is forOps leads, engineers, and technical founders wiring Attio into the rest of the stack — Slack, Zapier, Make, custom services, billing tools, product analytics. If you have ever asked 'how do I get [tool X] data into Attio,' this tutorial is for you.
What you'll need
Step 1
Native integrations (one-click in Workspace settings), no-code platforms (Zapier / Make), and direct API. Pick the simplest path that does the job.
Native integrations: Workspace settings → Integrations. One-click installs for Slack, Gmail/Outlook, Calendar, Linear, Notion, Intercom, and a growing list. Always check here first.
Zapier / Make: for tools without a native integration, or for simple cross-tool plumbing (e.g. "new Stripe customer → create Attio Company"). Faster than custom code, slower at scale.
Direct API: for high-volume sync, custom logic, or anything Zapier/Make rate-limits become painful. Requires engineering effort but no per-task fees and full control.
Rule of thumb: native first, Zapier for under 1K events/day, custom API for over 1K events/day or any logic Zapier cannot express.
Document every integration in a single Integrations Inventory doc. Tool name, integration path, what it reads, what it writes, who owns it, last reviewed date.
Step 2
Workspace settings → Integrations → browse and install. Most teams need Slack + Gmail/Outlook + Calendar + one team app (Linear, Notion, Intercom).
Slack: Workspace settings → Integrations → Slack → Install. Authorize at the workspace level. Then each member subscribes individually to specific channels + events they want notifications for.
Gmail / Outlook + Calendar: covered in detail in the email + calendar sync tutorial. Connect per-user with privacy-first defaults.
Linear / Notion / Intercom: useful for product-led B2B SaaS teams. Each integration writes specific data into Attio (Linear issues become Attio activities, Intercom conversations attach to People records).
Install ONE at a time. Test each end-to-end before adding the next. Disconnect anything trial — every connected app is a permission grant and a data flow you will own.
Document each: what tool, what scope, what data flows, who installed it, why. This becomes the Integrations Inventory.
Step 3
For tools without a native Attio integration, Zapier and Make both have official Attio apps. Set up Zaps with idempotency in mind.
Zapier: connect via the Attio app on Zapier. Auth uses OAuth — log in via your Attio account, grant scope, done.
Common Zaps: "new Stripe customer → create Attio Company," "new Calendly meeting → create Attio Interaction," "new Typeform submission → create Attio Person."
Always include filter steps to avoid noise: 'Only continue if Stripe amount > $X,' 'Only continue if Typeform Page = pricing-form.'
Use idempotency: include a unique external ID in the Attio create action so re-runs do not create duplicates. Attio dedupes People by email and Companies by domain natively — use those as natural idempotency keys.
Make / Integromat: similar pattern with more powerful branching and array handling. Better for multi-step scenarios where Zapier feels limiting.
For high-volume Zaps (1K+ events/month), check the Zapier task pricing — it adds up fast. At that volume, custom API + webhooks is usually cheaper.
Step 4
Workspace settings → API keys → Create. Tokens are workspace-scoped; protect like a database password.
Workspace settings → API keys → Create new key. Name it for the use case ("Backend service — Stripe sync — prod") so revocation is targeted.
Set scopes: pick the minimum required. Read-only for analytics dashboards; Read + Write for data sync; Full access only when truly needed.
Store the token in an environment variable or secrets manager (AWS Secrets Manager, Doppler, 1Password Connect, Vercel env vars). NEVER commit to git.
Rotate tokens quarterly. Create a new token, deploy with new token, revoke old token, audit logs to confirm cutover.
For multi-environment setups (dev, staging, prod), use separate tokens per environment. Helps with audit and rate-limit isolation.
Step 5
Base URL: https://api.attio.com/v2. Auth: Bearer {token}. Standard REST: GET, POST, PATCH, DELETE on resources like /objects/{slug}/records.
Common endpoints: GET /v2/objects (list objects), GET /v2/objects/{slug}/records (list records on an object), POST /v2/objects/{slug}/records (create record), PATCH /v2/objects/{slug}/records/{record_id} (update record).
For filtered queries: POST /v2/objects/{slug}/records/query with a JSON body specifying filters, sorts, limits.
Rate limits: as of 2026, default rate limit is ~100 requests/minute per workspace, with bursts allowed. Response headers include X-RateLimit-Remaining and X-RateLimit-Reset. Handle 429 responses with exponential backoff.
Pagination: use the cursor pattern. Response includes a `cursor` field; pass it as the `cursor` parameter in the next request. Loop until cursor is null.
Errors: 4xx for client errors (auth, validation), 5xx for server errors. Always log full error responses in dev; redact in prod logs.
Step 6
Workspace settings → Webhooks → Create endpoint. Attio POSTs to your URL when matching events fire — record created, attribute updated, etc.
Workspace settings → Webhooks → Create endpoint. Provide a URL (must be HTTPS), select event types (record.created, record.updated, list.entry_added, etc.).
Attio signs every webhook payload with HMAC SHA-256. Verify the signature in your handler (X-Attio-Signature header) — never trust an unsigned webhook.
Idempotency: every webhook includes a unique event ID. Store recently-processed event IDs and skip duplicates — Attio may retry on 5xx responses from your endpoint.
Handle slow responses: respond with 200 within 5 seconds, do heavy processing asynchronously (push to a queue). Webhooks that timeout get retried, multiplying load.
Common webhook patterns: 'on deal.stage = Closed Won, trigger our billing system,' 'on person.created, push to our data warehouse,' 'on list.entry_added, send a Slack DM.'
Step 7
Every integration is a permission grant + data flow. Drift happens silently — tokens expire, scopes get widened, integrations get re-wired by someone else.
Open Integrations Inventory doc monthly. Confirm each entry: still in use? Still owned by the same person? Still scoped correctly?
Workspace settings → Integrations → review every connected app. Disconnect anything stale.
Workspace settings → API keys → review every token. Revoke unused ones. Confirm rotation schedule.
Workspace settings → Webhooks → review every endpoint. Confirm receiving URL still active (test with a manual trigger). Disable any returning 5xx consistently.
For security-sensitive workspaces (financial services, healthcare): consider a quarterly external audit. EverestX specialists offer this as a 1-2 day engagement.
Common mistakes
Committing an API key to git, even temporarily
What goes wrong: Key gets scraped within minutes. Attacker uses it to read your entire CRM, create records, or pivot to other connected systems. You discover when a stranger's IP shows up in audit logs. Incident-response, customer notifications, and security review can easily run $10-50K — plus reputational damage if customer data was exposed.
How to avoid: Use environment variables or a secrets manager from day one. If exposure is suspected: revoke the key immediately in Workspace settings → API keys. Rotate all keys quarterly regardless.
No signature verification on incoming webhooks
What goes wrong: Attacker discovers your webhook URL and POSTs forged payloads. Your handler trusts them — creates fake records, fires downstream actions, leaks data via the webhook chain.
How to avoid: Always verify the X-Attio-Signature HMAC SHA-256 header. Reject any payload with an invalid signature. Document the verification in your handler code so it survives refactors.
No rate-limit handling — retries multiply on 429
What goes wrong: Your sync script does not handle 429s. On rate-limit, requests fail silently or loop endlessly. Attio rate-limits your whole workspace, which affects other apps too. Production CRM operations slow to a crawl.
How to avoid: Implement exponential backoff on 429. Check X-RateLimit-Remaining header proactively. For high-volume jobs, throttle requests to stay well under the limit.
Building Zapier Zaps without idempotency
What goes wrong: Zap fires twice on a Stripe webhook retry. Now you have duplicate Attio Companies for the same Stripe customer. Multiply by 50 Zaps a month and your data is dirty by week 2. Cleanup is a 1-2 day specialist engagement ($300-600) plus Zapier task overage fees that can add $100-300/month silently.
How to avoid: Use natural dedup keys (email for People, domain for Companies). Add a filter step in Zapier that checks "Record already exists?" before creating. Or use Attio's POST + auto-merge behavior.
Treating the API as fire-and-forget — no error logging
What goes wrong: Your nightly sync job silently fails for 3 weeks (auth token expired). You discover only when a stakeholder asks why a dashboard is stale. Three weeks of stale data, no audit trail.
How to avoid: Log every non-200 API response with full error body. Send Slack alert on consecutive failures. Track sync health in a meta-dashboard.
No Integrations Inventory — nobody knows what is connected
What goes wrong: Year one: 15 integrations across native, Zapier, custom API. Year two: nobody remembers what half of them do or who owns them. When something breaks, debugging takes hours instead of minutes — at $80-150/hr of engineering time, even a few incidents per quarter compound to $2-5K of avoidable spend annually.
How to avoid: Maintain a living Integrations Inventory doc. Tool, path, scopes, owner, last reviewed. Update every time you add or remove an integration. Audit monthly.
Recap
Done — what's next
How to set up an Attio workspace without painting yourself into a corner
Read the next tutorial
Hand it off
The API + integrations surface is where Attio becomes the spine of your stack — and where security debt accumulates fastest. A specialist who has wired Attio into 30+ stacks knows which patterns scale, how to secure tokens, and how to keep the surface auditable. EverestX Attio specialists run $400-1,200/month at $14-16/hr.
See specialist rates
The API is technically available on Free with limited scope and lower rate limits. Webhooks, custom integrations, and the full read/write surface are on Plus and Pro. Most teams building serious integrations are on Plus minimum.
Yes — Attio offers OAuth 2.0 for apps that need to authenticate end users (not just workspace tokens). Useful if you are building a product that integrates with customer Attio workspaces. Apply at developers.attio.com to register an OAuth app.
As of 2026, ~100 requests/minute per workspace with burst capacity. Higher limits available on Pro and Enterprise tiers. Check response headers (X-RateLimit-Remaining, X-RateLimit-Reset) and implement exponential backoff on 429 responses. For high-volume use cases, contact Attio sales for a higher tier.
Three patterns: (1) Use Attio webhooks to push events to your warehouse pipeline in real time. (2) Run a nightly cron job that pulls via the API (GET /v2/objects/{slug}/records/query) with filters on `updated_at`. (3) Use a third-party ETL tool (Fivetran, Airbyte) — both have growing Attio support as of 2026.
Yes — Attio has a developer program for building public apps. Apply at developers.attio.com. Requires going through Attio's app review process (similar to OAuth scope review at HubSpot/Slack). Best for tools with a clear B2B SaaS overlap with Attio's user base.
Attio
Attio is the modern, fast, Notion-influenced CRM that B2B SaaS teams are picking when HubSpot starts feeling rigid. It's also easy to break in the first month — wrong workspace name, wrong currency, wrong member roles, wrong billing seat plan. Here is the setup sequence that holds up.
Attio
Attio Workflows are the operational core of the platform — assign owners, send Slack pings, update stages, sync to other tools. Build them carelessly and they fire 800 times the first weekend and you spend Monday unwinding. Build them with discipline and reps stop doing repetitive busywork. Here is the discipline.
Attio
Email and calendar sync is what turns Attio from 'data entry' into 'background CRM' — emails auto-log, meetings auto-attach, interactions get tracked without anyone clicking. But default settings sync everything, including personal email. Here is the setup that earns rep trust on day one.
Attio
DIY Attio is a great idea — until it isn't. This is the honest framework for when the cost of self-managing exceeds the cost of hiring help, and how to tell which side you are on.