Browse docs

Authentication

Every request — REST or MCP — authenticates with an API key sent as a Bearer token. One key works for both surfaces and is scoped to a single organization.

Get a key

Generate an API key from the dashboard, under API keys. Keys look like:

text
ak_xxxxxxxxxxxxxxxxxxxxxxxxxxxx

The full secret is shown once at creation — copy it then. AI Accounting stores only a hash, so it can't show you the key again.

Send it on every request

Add an Authorization: Bearer header:

bash
curl "https://ai-accounting-software.vercel.app/api/v1/accounts" \
-H "Authorization: Bearer ak_your_key_here"

The same header authenticates the MCP server — MCP clients send it as a request header on the connection.

What a key grants

  • Access is scoped to the key's organization — it can only see and modify that organization's ledger (enforced by row-level security).
  • A valid key still requires an active subscription; requests for an organization with a lapsed subscription return 402 Payment Required (see Conventions).

Rotating and revoking

  • Create a new key before retiring an old one to avoid downtime.
  • Revoke a compromised key immediately from the dashboard — it stops working at once.
  • Treat keys like passwords: never commit them, never put them in client-side code or URLs. See Security.

Keys are secrets

Anyone with your key has full API and MCP access to your books. Store keys in environment variables or a secrets manager, not in source control.