DocsAPI & MCP

Authentication

Every request carries a workspace API key as a bearer token. Here are the key format, the three key kinds, the two scopes, and how scoping works.

The v1 API and the MCP server use one authentication scheme: a workspace API key passed as a bearer token.

The header

Send your key in the Authorization header using the Bearer scheme on every request:

Authorization: Bearer mf_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

There is no X-API-Key header and no query-string key — the bearer header is the only accepted form.

Key format

Workspace keys are prefixed mf_ followed by 40 hexadecimal characters. Keys are shown in plaintext exactly once, at creation, and stored only as a SHA-256 hash — MentionFlow cannot show you a key again, so save it when you create it. Create and manage keys under Settings → API keys (see API keys).

Key scopes

A workspace key has one of two scopes, set when you create it:

ScopeCan read v1 + MCPCan POST crawler eventsUse for
fullYesYesDashboards, exports, agents
ingestNoYesCrawler-log shippers (e.g. a Cloudflare Worker)

The ingest scope is deliberately narrow: a key exfiltrated from a customer's edge worker can ship logs but cannot read any workspace data. Read surfaces fail closed — an ingest (or otherwise unrecognised) scope is rejected on any read.

Note

There is also an internal cross-tenant operator key used by MentionFlow's own infrastructure. It is not something you create or use; workspace keys are always scoped to a single workspace.

Scoping and privacy

Every response is derived from the brands your key's workspace owns. A brand parameter pointing at a brand outside your workspace returns exactly the same "unknown brand" response as a brand id that does not exist — the API never reveals whether another workspace's id is real.

Errors you'll see

StatusMeaning
401 UnauthorizedMissing or invalid key.
403 ForbiddenAn ingest-scoped key was used on a read endpoint.
503The API is disabled for this deployment (no API access configured).

Full error shapes are in Errors.

  • API keys — creating, scoping, and revoking keys.
  • Conventions — scales, windows, and null handling.
  • Crawler ingest — the one endpoint an ingest key can reach.