Skip to main content

Documentation Index

Fetch the complete documentation index at: https://dev.magicpost.in/llms.txt

Use this file to discover all available pages before exploring further.

These endpoints power the Settings → API & MCP tab in the MagicPost web app. They use cookie session authentication rather than Bearer tokens, which means they are tied to an active browser session and cannot be called from scripts or automation tools.
To create, view, or revoke API keys, use the web UI at app.magicpost.in. The endpoints below are documented for completeness, but you cannot call them from a script. The one exception is GET /api/v1/auth/verify, which accepts Bearer token auth and is scriptable.

GET /api/v1/api-keys

List all your Personal Access Tokens, including both active and revoked keys. Clear token values are never returned by this endpoint. Response 
{
  "keys": [
    {
      "id": "uuid",
      "prefix": "mp_abcdef",
      "name": "Claude Desktop",
      "scopes": ["mcp:v1"],
      "created_at": "2026-05-18T18:29:29Z",
      "last_used_at": "2026-05-18T18:29:42Z",
      "revoked_at": null
    }
  ]
}
A revoked_at value of null means the key is still active.

POST /api/v1/api-keys

Create a new Personal Access Token. The clear token value is returned exactly once in this response and is never retrievable again. Request body 
{ "name": "My Cursor" }
FieldTypeRequiredDescription
namestringNoFriendly label shown in the UI. Max 64 characters.
Response (HTTP 201) 
{
  "key": { "id": "uuid", "prefix": "mp_xxx", "name": "My Cursor" },
  "token": "mp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
Copy the token value immediately and store it securely — you will not be able to retrieve it again. Constraints:
  • You can have a maximum of 10 active keys per account. Revoked keys do not count toward this limit.
  • Attempting to create an 11th active key returns HTTP 400.

DELETE /api/v1/api-keys/<key_id>

Revoke a Personal Access Token. Revoked keys are invalidated immediately and cannot be used for authentication. Response (HTTP 200) 
{ "success": true }
Returns 404 if the key doesn’t exist or isn’t owned by your account. Both cases return 404 to avoid leaking ownership information.
Revoking an already-revoked key returns 404 rather than a success response. This differs from a typical idempotent delete — use GET /api/v1/api-keys first to check the key’s revoked_at status if needed.

GET /api/v1/auth/verify

Validate a Bearer token. This is the only key-management endpoint that accepts Bearer token authentication, making it the one endpoint in this group you can call from a script. 
curl https://api.magicpost.in/api/v1/auth/verify \
  -H "Authorization: Bearer mp_xxx"
Response 
{
  "user_record_id": "recXXXXXXX",
  "email": "you@example.com",
  "scopes": ["mcp:v1"]
}
Returns 401 if the token is invalid or has been revoked.