Getting Started

Authentication

API Keys

The primary authentication method for all programmatic API calls is an API key.

Format

mk_live_<43 base64url characters>

Total length: 51 characters. Example:

mk_live_aB3xZ9mQwRtYpLkJnVdCeHfIoUsSgA7bWzXc4Eh

Usage

Include the key in every request’s Authorization header:

1Authorization: Bearer mk_live_<your-key>

Creating API keys

In the Dashboard → API KeysCreate Key, or via the API (requires a Clerk session):

$curl -X POST https://dev.muchau.com.br/api/auth/api-keys \
>  -H "Authorization: Bearer <CLERK_SESSION_TOKEN>" \
>  -H "Content-Type: application/json" \
>  -d '{ "name": "production" }'

The full key is shown only once at creation time. It cannot be retrieved later. Store it immediately in a secrets manager or .env file.

Revoking API keys

Keys can be revoked from the Dashboard or via DELETE /api/auth/api-keys/:id. Revoked keys are rejected immediately.

Clerk Session Tokens (Dashboard only)

A second authentication method — Clerk JWTs — is used only by the Dashboard frontend to manage the account (create/revoke API keys, view account info). These tokens are issued by Clerk and are not intended for direct API use.

If you’re building integrations, always use API keys.

Rate Limits

PlanRequests per minute
Starter100
Pro500

Rate limit information is returned in response headers:

1X-RateLimit-Limit: 100
2X-RateLimit-Remaining: 87
3X-RateLimit-Reset: 1720000060

When the limit is exceeded, the API returns 429 Too Many Requests.

Security best practices

  • Store API keys in environment variables, never in source code
  • Use separate keys per environment (development, staging, production)
  • Rotate keys regularly via Dashboard → API Keys → Rotate
  • Set up IP allowlisting for production keys (coming soon)