Skip to main content

Bearer token

All requests require a Bearer token in the Authorization header. The token is sent with every JSON-RPC request. 
curl -X POST https://app.psquared.dev/api/mcp/v1 \
  -H "Authorization: Bearer im_key_abc123..." \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"tools/list","params":{},"id":1}'
When using an MCP client like Claude Code or Cursor, the header is configured once in the MCP server settings — see Quick setup.

Getting your API key

  1. Go to Settings > API in your InboxMate dashboard
  2. Click Generate API key
  3. Copy and store the key securely — it won’t be shown again
Keep your API key secret. Do not expose it in client-side code, public repositories, or logs.

Key management

  • You can generate multiple API keys per workspace
  • Revoke compromised keys immediately from the settings page
  • Each key is scoped to your workspace — it can only access your own agents, conversations, contacts, and knowledge

Security

  • API keys are hashed (SHA-256) before storage — we never store the raw key
  • Keys support optional expiration dates
  • All requests are scoped to your account — you cannot access other workspaces

Requirements

  • Business plan or higher is required for API access
  • Requests from lower-tier accounts receive a 403 error with a message indicating the required plan