Authentication
Every request — REST or MCP — authenticates with an API key sent as a Bearer token. One key works for both surfaces and is scoped to a single organization.
Get a key
Generate an API key from the dashboard, under API keys. Keys look like:
text
ak_xxxxxxxxxxxxxxxxxxxxxxxxxxxxThe full secret is shown once at creation — copy it then. AI Accounting stores only a hash, so it can't show you the key again.
Send it on every request
Add an Authorization: Bearer header:
bash
curl "https://ai-accounting-software.vercel.app/api/v1/accounts" \
-H "Authorization: Bearer ak_your_key_here"The same header authenticates the MCP server — MCP clients send it as a request header on the connection.
What a key grants
- Access is scoped to the key's organization — it can only see and modify that organization's ledger (enforced by row-level security).
- A valid key still requires an active subscription; requests for an
organization with a lapsed subscription return
402 Payment Required(see Conventions).
Rotating and revoking
- Create a new key before retiring an old one to avoid downtime.
- Revoke a compromised key immediately from the dashboard — it stops working at once.
- Treat keys like passwords: never commit them, never put them in client-side code or URLs. See Security.
Keys are secrets
Anyone with your key has full API and MCP access to your books. Store keys in environment variables or a secrets manager, not in source control.