MASK
Docs/API Reference/Authentication

Authentication

The MASK API uses API keys to authenticate requests. You can create, manage, and revoke keys from your workspace settings. Each key can be scoped to specific permissions.

# API Keys

Creating an API key

API keys are created from your workspace settings. Navigate to Settings → API Keys → Create Key.

Every key belongs to a workspace and inherits the workspace context. Requests made with a key only have access to resources within that workspace.

Keys are prefixed with mk_live_ for production and mk_test_ for test environments.

Example request

curl https://api.mask.bz/v1/links \
  -H "Authorization: Bearer mk_live_abc123def456"

# Scopes

Permission scopes

When creating an API key, you select which scopes the key has access to. Use the principle of least privilege: only grant the scopes your integration needs.

ScopeDescription
links:readRead link data and metadata
links:writeCreate, update, and delete links
bio-pages:readRead bio page data and blocks
bio-pages:writeCreate, update, and delete bio pages
analytics:readQuery click and view analytics
qr-codes:readRead QR code data and download images
qr-codes:writeCreate and update QR codes
webhooks:readList and view webhook subscriptions
webhooks:writeCreate and delete webhook subscriptions
domains:readList and view custom domains
domains:writeAdd and remove custom domains
workspace:readRead workspace settings and members

# Key management

Revoking and rotating keys

You can revoke any API key immediately from the workspace settings. Once revoked, all requests using that key will return 401 Unauthorized.

To rotate a key without downtime, create a new key first, update your integration to use the new key, then revoke the old key.

Keys that have not been used in 90 days are flagged as inactive in the dashboard. We recommend revoking unused keys regularly.

# Best practices

Security recommendations

Use environment variables

Never hardcode API keys in your source code. Store them in environment variables or a secrets manager.

Scope narrowly

Create keys with only the permissions your integration needs. A reporting tool only needs analytics:read.

Rotate regularly

Rotate production keys every 90 days. Create the new key before revoking the old one to avoid downtime.

Monitor usage

Check the API Keys page in your workspace settings to see when each key was last used and from which IP.

Separate environments

Use test keys for development and staging. Only use production keys in your live environment.

Never expose client-side

API keys should only be used in server-side code. Never include them in browser JavaScript or mobile apps.

Ready to start building?

Create your API key and make your first request in under a minute.

Get Your API Key

Ready to get started?

Start building with a free account.
Speak to an expert for your Pro or Enterprise needs.

Request Early AccessTalk to an Expert

Explore MASK Enterprise

with an interactive product tour,
trial, or a personalized demo.

Explore Enterprise →