Skip to content

API Keys

  1. Select an app in the dashboard
  2. Enter a key name and select a scope in the “API Keys” section
  3. Click “Create” — the key is shown only once
ScopeUse CaseAllowed Operations
subscribe_onlyFrontend embeddingSubscribe/unsubscribe only
notifyServer-side notification sendingNotification sending + subscription operations
fullManagementAll operations (including app info and statistics)
User's browser (frontend)
└─ subscribe_only key → /api/v1/subscriptions (POST) / /api/v1/apps/:appId/subscriptions (POST/DELETE)
Your server (backend)
└─ notify key → /api/v1/notify (POST)
CI / admin scripts
└─ full key → all endpoints

API keys are sent via the Authorization: Bearer header.

Terminal window
curl -H "Authorization: Bearer pk_your_key_here" \
https://api.todoke.dev/api/v1/notify \
-H "Content-Type: application/json" \
-d '{"title":"test","body":"test"}'
pk_a1b2c3d4e5f6... (64-character hex string)

The scopes that can call each endpoint.

Endpointsubscribe_onlynotifyfull
POST /api/v1/subscriptions (for SDK)
POST / DELETE /api/v1/apps/:appId/subscriptions
GET /api/v1/vapid-public-key
GET /api/v1/stats
POST /api/v1/notify · /notify/batch
POST /mcp (MCP endpoint)
MCP list_api_keys / create_api_key / delete_api_key tools
App creation POST /api/v1/apps— (session-only; API keys not allowed)
App get/delete, key issue/delete/list, stats GET/POST/DELETE /api/v1/apps* (except creation)✅ (or session)
  • Plaintext shown only at issuance: The plaintext key is included only in the response right after creation. There is no way to retrieve the plaintext afterward; the server stores only a value hashed with HMAC-SHA256 + pepper, and compares hashes against each other during authentication.
  • last_used_at updates: Updated every time authentication succeeds. It is not shown in the dashboard UI, but you can check it with the CLI todoke keys list.
  • Immediate revocation on deletion: Deleting a key invalidates it immediately. Any application using that key will receive authentication errors (INVALID_API_KEY). Deleted keys cannot be restored.

Endpoints that use API key authentication have a rate limit of 20 requests / 60 seconds per IP address. Only failed authentication requests are counted; successful requests with a valid key are not counted. When exceeded, a 429 RATE_LIMITED is returned with a Retry-After: 60 header. For details, see Error Codes & Limits.

API keys can be issued in the following three ways.

  • Dashboard (the steps at the top of this page)
  • CLI: todoke keys add
  • MCP: the create_api_key tool (MCP Server. Calling it requires a full-scope key.)