Skip to main content

Documentation Index

Fetch the complete documentation index at: https://dev.magicpost.in/llms.txt

Use this file to discover all available pages before exploring further.

Every call to /api/v1/* and every MCP tool invocation must carry a Personal Access Token (PAT) in the Authorization header. Tokens are formatted as mp_<32 random URL-safe bytes> — roughly 43 characters after the prefix. The full token is shown exactly once in the UI at creation time and is never displayed again. Afterwards, only its short prefix (e.g. mp_abc123) and metadata — name, created date, last used — remain visible.
Treat your tokens like passwords. Anyone who holds a token has the same access to your MagicPost account as you do via the API.

Creating a token

In the web app, go to Settings → API & MCP → Create a key. The dialog asks for an optional name (e.g. Claude Desktop, My Cursor, Internal cron script). The name has no functional effect — it just helps you tell tokens apart in the list and audit which integration was active when. You can hold up to 10 active tokens per account. Revoked tokens do not count against the limit but remain visible in the history.

Using a token

With the MCP server

In your MCP client config (Claude Desktop, Cursor, claude.ai), pass the token as a header via mcp-remote: 
{
  "mcpServers": {
    "magicpost": {
      "command": "npx",
      "args": [
        "-y",
        "mcp-remote",
        "https://mcp.magicpost.in/mcp",
        "--header",
        "Authorization:Bearer mp_YOUR_TOKEN"
      ]
    }
  }
}

With the REST API

Add the Authorization header to every request: 
curl https://api.magicpost.in/api/v1/posts?status=scheduled \
  -H "Authorization: Bearer mp_YOUR_TOKEN"

import os, httpx

client = httpx.Client(
    base_url="https://api.magicpost.in/api/v1",
    headers={"Authorization": f"Bearer {os.environ['MAGICPOST_TOKEN']}"},
)
client.get("/posts", params={"status": "scheduled"})

Verifying a token

GET /api/v1/auth/verify is the canonical way to check whether a token is valid. It returns the user record ID, email, and granted scopes when the token is good: 
curl https://api.magicpost.in/api/v1/auth/verify \
  -H "Authorization: Bearer mp_YOUR_TOKEN"

{
  "user_record_id": "recXXXXXXX",
  "email": "you@example.com",
  "scopes": ["mcp:v1"]
}

Scopes

All v1 tokens currently carry a single scope: mcp:v1. It grants full access to every /api/v1/* endpoint for the owning account. Finer-grained scopes (e.g. read-only, or post:write only) are planned for a future version — existing tokens will retain their full access when that lands.

Revoking a token

In Settings → API & MCP, click Revoke on the token row. The change propagates within 60 seconds — the MCP server caches token validity for that long, so a revoked token may still work for up to a minute after revocation. Revocation is irreversible. Any MCP integration using that token will start receiving 401 responses. Create a new token to replace it.

Security checklist

Store tokens in environment variables or a secrets manager, never in client-side code.
Use a different token per device or integration so you can revoke precisely if one leaks.
Rotate tokens periodically — roughly every six months for high-value automations.
Never commit a token to git, even in a private repository.
Never paste a token in a public log, screenshot, or support thread — revoke and recreate immediately if you suspect a leak.