Inklate Docs
For agents

API keys

Create an Organization API key in the dashboard under Settings → API, copy it once, and send it as a bearer token to MCP or REST.

An Organization API key is the simplest way to let an agent act in one organization. You create it in the dashboard, copy it once, and send it as a bearer token on every MCP or REST call. The key is bound to a single organization and inherits its creator’s permissions.

Create a key

  1. In the dashboard, open Settings → API (under Administration). The page is titled Agent API keys.
  2. In the Create a key card, give the key a name — for example claude-code or cursor. A name is optional; if you leave it blank it defaults to agent.
  3. Click Create key. The full secret is shown once, with the note “Copy it now — it will not be shown again.” Copy it immediately and store it somewhere safe.

Every key starts with the prefix inklate_. After creation you only ever see the key’s name, a short start-prefix preview, and its created date in the active-keys list — never the full secret again.

How keys are scoped

  • One organization. A key is bound to the organization that was active when you created it. All calls made with that key act on that organization, so MCP and REST tools need no organization argument. Create the key from within the organization you want it to control.
  • Inherits your permissions. There are no per-key scopes to pick. A key acts as its creator, with that member’s role and permissions in the organization. Membership is re-checked on every call, so if the key’s owner loses access or leaves the organization, the key stops working.
  • No expiry. Keys do not expire on a timer; they live until you revoke them.

Because a key inherits its creator’s role, give agents a key created by a member whose permissions match what the agent should be allowed to do. A key created by an admin can do everything an admin can.

Use a key

Send the key as a bearer token. This is the same header for both MCP and REST:

Authorization: Bearer inklate_XXXXXXXX

An x-api-key: inklate_XXXXXXXX header is also accepted, but Authorization: Bearer is the canonical form used throughout the docs.

MCP (mcp.json / client config):

{
  "mcpServers": {
    "inklate": {
      "url": "https://api.inklate.com/mcp",
      "headers": { "Authorization": "Bearer inklate_XXXXXXXX" }
    }
  }
}

REST (curl):

curl https://api.inklate.com/api/v1/channels \
  -H "Authorization: Bearer inklate_XXXXXXXX"

Revoke a key

Each key in the active-keys list has a Revoke button. Revoking takes effect immediately — the next call with that key is rejected with 401. Revoke a key any time it might be exposed, and create a fresh one to rotate. Keys are per-organization, so a key revoked in one organization does not affect keys in another.

If you can’t pin a key to one organization

For clients that support remote-MCP browser sign-in, use OAuth instead of a pasted key — the connection is not pinned to one organization and you pass an organization slug to target a specific one. See Connect over MCP.