Every API request must include a valid API key as a Bearer token in the Authorization header. Create and manage keys in Settings → Developer → API Keys inside your space.
Pass your API key as a Bearer token. The header value must be Bearer <your-api-key>.
curl 'https://acme.madless.com/api/v1/canvas/concepts' \
-H 'Authorization: Bearer mad_sk_abc123...'All API keys follow a structured prefix format that makes them easy to identify and rotate:
mad_sk_a1b2c3d4e5f6...mad_Platform prefix — identifies this as a Madless credential.
sk_Key type — secret key (server-side only).
Beyond scopes, some endpoints require plan-based entitlements. These control access to features that differ between the Starter and Pro plans. If your space does not have the required entitlement, the API returns 403 Forbidden with an entitlement_required error type.
canvascircledrivecalendarbridgewebhooksapi-keysbackupbrandingdomainsecurityEach API key is assigned a set of scopes that control which endpoints it can access. Scopes follow a module.action pattern. Required scopes are documented on each endpoint in the API Reference.
canvas.readcanvas.writedrive.uploaddrive.readdrive.writecircle.readcircle.writecalendar.readcalendar.writebridge.readbridge.writeai.useai.manageadmin.readwebhooks.manageIf a request is missing a required scope, the API returns 403 Forbidden with a missing_scope field indicating which scope is needed.
API keys carry the same privileges as the scopes they were assigned. Never expose them in client-side code, public repositories, or browser network requests. If a key is compromised, revoke it immediately in Settings → Developer → API Keys and generate a new one.