Every API request must include a valid API key as a Bearer token in the Authorization header. Create and manage keys in Settings → Developer → API Keys inside your space.
API keys are minted by a space admin in Settings → Developer. Minting a key requires:
api-keys entitlement.admin.write scope (a space admin role).A key’s scopes are clamped to the scopes of the admin who created it — you cannot mint a key more privileged than yourself. Rotate or revoke a key from the same screen; a revoked key stops working within seconds.
Pass your API key as a Bearer token. The header value must be Bearer <your-api-key>.
curl 'https://acme.madless.com/api/v1/canvas' \
-H 'Authorization: Bearer mad_sk_abc123...'All API keys follow a structured prefix format that makes them easy to identify and rotate:
mad_sk_a1b2c3d4e5f6...mad_Platform prefix — identifies this as a Madless credential.
sk_Key type — secret key (server-side only).
Beyond scopes, some endpoints require plan-based entitlements. These control access to features that differ between the Starter and Pro plans. If your space does not have the required entitlement, the API returns 403 Forbidden with an entitlement_required error type.
canvasmirrormindsthreadsdrivetimelinespacewebhooksapi-keysmcpbackupbrandingdomainEndpoints that run a paid AI model draw down your space’s monthly AI credit allowance. When the allowance (or the underlying USD budget) is spent, those endpoints return 402 with an ai_credits_exhausted error type. Credits reset at the start of each billing cycle.
Credit-billed operations include:
Routine embeddings and background enrichment (e.g. re-embedding a concept you edit) are included in your planand do not draw down credits. Exact credit weights are plan-dependent and can change between Starter and Pro — treat the relative ordering above as the contract, not a fixed number.
Each API key is assigned a set of scopes that control which endpoints it can access. Scopes follow a module.action pattern. Required scopes are documented on each endpoint in the API Reference.
canvas.readcanvas.writecanvas.managecapture.writedrive.readdrive.writedrive.uploaddrive.manageminds.readminds.writetimeline.readtimeline.writethreads.readthreads.writethreads.managemirror.readmirror.writemirror.managespace.curatespace.managewebhooks.manageadmin.readadmin.writeIf a request is missing a required scope, the API returns 403 Forbidden with a missing_scope field indicating which scope is needed.
The admin.read / admin.write scopes unlock space-administration endpoints (members, roles, branding, billing, API-key management) that are scope-gated but not part of this published v1 reference. They behave like every other endpoint — same auth, errors, and rate limits — but their request/response shapes are not yet documented here, so treat them as subject to change.
API keys carry the same privileges as the scopes they were assigned. Never expose them in client-side code, public repositories, or browser network requests. If a key is compromised, revoke it immediately in Settings → Developer → API Keys and generate a new one.