Authentication
GuidesUpdated June 14, 2026
Authentication
All API requests must include your API key.
How to send the API key
Use one of these:
-
Bearer token (recommended)
Header:
Authorization: Bearer <your_api_key> -
X-API-Key header
Header:
X-API-Key: <your_api_key>
Example:
curl -X GET "https://app.machfive.io/api/v1/campaigns" \
-H "Authorization: Bearer mf_live_a1b2c3d4e5f60718293a4b5c6d7e8f90"Invalid or missing key
- Missing key: Response
401witherror: "UNAUTHORIZED", message:"Missing API key. Use Authorization: Bearer <key> or X-API-Key." - Invalid key: Response
401witherror: "UNAUTHORIZED", message:"Invalid API key."
Scopes
API keys can be scoped to limit what they can do. A request that needs a scope the key doesn't hold returns 403 FORBIDDEN, with detail listing the required and present scopes.
| Scope | Grants |
|---|---|
campaigns:read | List campaigns, read selections, documents, target audiences, asset options, and build status. |
campaigns:write | Generate sequences and previews; create campaigns, submit target audiences and asset selections, and trigger value-prop generation / builds. |
lists:read | List lead lists, read list status, export results. |
lists:write | Rename and delete lists, reprocess lists. |
workspace:read | Read the workspace profile, documents, and regeneration status. |
workspace:write | Update workspace details, import documents/URLs, regenerate documents. |
signatures:read | List email signatures. |
signatures:write | Create, update, and delete email signatures. |
agent:read | List conversations and read conversation messages. |
agent:write | Send agent chat messages. |
credits:read | Read credit balance and run credit checks. |
Keys created without explicit scopes have full access (backward compatibility).
Security
- Do not commit API keys to source control or expose them in client-side code.
- Prefer environment variables or a secrets manager.
- You can create multiple keys (e.g. per environment or integration) and revoke them from the app.