Authentication
Every request carries a workspace API key as a bearer token. Here are the key format, the three key kinds, the two scopes, and how scoping works.
The v1 API and the MCP server use one authentication scheme: a workspace API key passed as a bearer token.
The header
Send your key in the Authorization header using the Bearer scheme on every request:
Authorization: Bearer mf_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
There is no X-API-Key header and no query-string key — the bearer header is the only accepted form.
Key format
Workspace keys are prefixed mf_ followed by 40 hexadecimal characters. Keys are shown in plaintext exactly once, at creation, and stored only as a SHA-256 hash — MentionFlow cannot show you a key again, so save it when you create it. Create and manage keys under Settings → API keys (see API keys).
Key scopes
A workspace key has one of two scopes, set when you create it:
| Scope | Can read v1 + MCP | Can POST crawler events | Use for |
|---|---|---|---|
full | Yes | Yes | Dashboards, exports, agents |
ingest | No | Yes | Crawler-log shippers (e.g. a Cloudflare Worker) |
The ingest scope is deliberately narrow: a key exfiltrated from a customer's edge worker can ship logs but cannot read any workspace data. Read surfaces fail closed — an ingest (or otherwise unrecognised) scope is rejected on any read.
There is also an internal cross-tenant operator key used by MentionFlow's own infrastructure. It is not something you create or use; workspace keys are always scoped to a single workspace.
Scoping and privacy
Every response is derived from the brands your key's workspace owns. A brand parameter pointing at a brand outside your workspace returns exactly the same "unknown brand" response as a brand id that does not exist — the API never reveals whether another workspace's id is real.
Errors you'll see
| Status | Meaning |
|---|---|
401 Unauthorized | Missing or invalid key. |
403 Forbidden | An ingest-scoped key was used on a read endpoint. |
503 | The API is disabled for this deployment (no API access configured). |
Full error shapes are in Errors.
Related
- API keys — creating, scoping, and revoking keys.
- Conventions — scales, windows, and null handling.
- Crawler ingest — the one endpoint an
ingestkey can reach.