> ## Documentation Index
> Fetch the complete documentation index at: https://docs.inboxmate.psquared.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> How to authenticate with the InboxMate MCP API.

## Bearer token

All requests require a Bearer token in the `Authorization` header. The token is sent with every JSON-RPC request.

```bash theme={null}
curl -X POST https://app.psquared.dev/api/mcp/v1 \
  -H "Authorization: Bearer im_key_abc123..." \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","method":"tools/list","params":{},"id":1}'
```

When using an MCP client like Claude Code or Cursor, the header is configured once in the MCP server settings — see [Quick setup](/api-reference/overview#quick-setup).

## Getting your API key

1. Go to **Settings > API** in your InboxMate dashboard
2. Click **Generate API key**
3. Copy and store the key securely — it won't be shown again

<Warning>
  Keep your API key secret. Do not expose it in client-side code, public repositories, or logs.
</Warning>

## Key management

* You can generate multiple API keys per workspace
* Revoke compromised keys immediately from the settings page
* Each key is scoped to your workspace — it can only access your own agents, conversations, contacts, and knowledge

## Security

* API keys are hashed (SHA-256) before storage — we never store the raw key
* Keys support optional expiration dates
* All requests are scoped to your account — you cannot access other workspaces

## Requirements

* **Business plan** or higher is required for API access
* Requests from lower-tier accounts receive a `403` error with a message indicating the required plan
