Authentication
Bearer tokens, scopes, rotation policy, and revocation.
Updated May 18, 2026·4 min read
Bearer tokens
Pass the key in the `Authorization` header. The token format is `mpi_live_<random>` for production or `mpi_test_<random>` for sandbox.
HTTP
Authorization: Bearer mpi_live_••••••Scopes
Each key inherits the role of the user who created it. Scopes available:
| Field | Type | Description |
|---|---|---|
| read:screens | scope | List screens, read health metrics. |
| write:screens | scope | Create, pair, re-pair, delete screens. |
| read:content | scope | List items, scenes, playlists. |
| write:content | scope | Create or update items, scenes, playlists. |
| admin:workspace | scope | Manage members, integrations, billing. Owner role only. |
Rotation
Rotate keys at least quarterly. The API supports overlapping keys: create a new one, deploy it, revoke the old one. No downtime required.
Revocation
Revocation is immediate. Settings → API → (key) → Revoke. Subsequent calls return `401 invalid_key` within ~5 seconds.
Sandbox keys
Test keys (`mpi_test_...`) hit the same endpoints against a sandbox workspace. Use them in CI; production data is untouched.