Authentication

Every REST request (except signed render URLs) authenticates with an API key sent as a Bearer token.

# API keys

Create keys in the app under Settings → API keys. There are two kinds:

Prefix	Use
`mr_live_…`	Production — counts against your plan’s quota and billing.
`mr_test_…`	Testing.

Keys are shown once at creation — store them somewhere safe. Only a SHA-256 hash is kept server-side, so a lost key can’t be recovered, only revoked and replaced.

# Sending the key

Add an Authorization header to every request:

http

Authorization: Bearer mr_live_xxxxxxxxxxxxxxxxxxxxxxxx

bash

curl https://api.mostlyrender.com/v1/account \
  -H "Authorization: Bearer mr_live_…"

GET /v1/account is the simplest way to verify a key — it returns the connected account, or 401 if the key is missing, invalid, or revoked.

json

{ "plan": "pro", "email": "you@example.com", "display_name": "Ada Lovelace" }

# Base URL

text

https://api.mostlyrender.com

Until the custom API domain is attached, the live host is https://mostly-render-api.web.app. SDKs accept a base_url override.

# Keeping keys safe

Never ship a key in client-side code. For browser/<img> use, generate a signed render URL instead — it needs no key.
Rotate by creating a new key and revoking the old one; revocation is immediate.