Authentication - Ocoya API Docs

Base URL

The current REST API endpoint is:

https://app.ocoya.com/api/_public/v1

Send your API key in the X-API-Key header.

X-API-Key: YOUR_API_KEY
Content-Type: application/json
Accept: application/json

Call /me to verify the key.

curl -X GET "https://app.ocoya.com/api/_public/v1/me" \
  -H "X-API-Key: YOUR_API_KEY"

If the key is valid, the API responds with your user context instead of an authentication error.

Missing API key

If no API key is provided, the API returns 401 Unauthorized.

{
  "message": "Missing API token."
}

Invalid API key

If the API key is invalid, the API returns 403 Forbidden.

{
  "message": "Invalid API token."
}

Keep keys server-side

API keys are designed for backend requests. Do not use them directly in browser-side code.

Store keys securely

Store API keys in environment variables or a secrets manager.

Rotate exposed keys

Replace an API key if it appears in client code, logs, screenshots, or public repositories.

MCP does not use Ocoya API keys. MCP clients authenticate through OAuth and ask the user to approve workspace access. See MCP for setup instructions.