API Keys
Creating an API Key
Section titled “Creating an API Key”- Select an app in the dashboard
- Enter a key name and select a scope in the “API Keys” section
- Click “Create” — the key is shown only once
Scopes
Section titled “Scopes”| Scope | Use Case | Allowed Operations |
|---|---|---|
subscribe_only | Frontend embedding | Subscribe/unsubscribe only |
notify | Server-side notification sending | Notification sending + subscription operations |
full | Management | All operations (including app info and statistics) |
Usage Examples
Section titled “Usage Examples”User's browser (frontend) └─ subscribe_only key → /api/v1/subscriptions (POST) / /api/v1/apps/:appId/subscriptions (POST/DELETE)
Your server (backend) └─ notify key → /api/v1/notify (POST)
CI / admin scripts └─ full key → all endpointsAuthentication
Section titled “Authentication”API keys are sent via the Authorization: Bearer header.
curl -H "Authorization: Bearer pk_your_key_here" \ https://api.todoke.dev/api/v1/notify \ -H "Content-Type: application/json" \ -d '{"title":"test","body":"test"}'Key Format
Section titled “Key Format”pk_a1b2c3d4e5f6... (64-character hex string)Scope × Endpoint Permission Matrix
Section titled “Scope × Endpoint Permission Matrix”The scopes that can call each endpoint.
| Endpoint | subscribe_only | notify | full |
|---|---|---|---|
POST /api/v1/subscriptions (for SDK) | ✅ | ✅ | ✅ |
POST / DELETE /api/v1/apps/:appId/subscriptions | ✅ | ✅ | ✅ |
GET /api/v1/vapid-public-key | ✅ | ✅ | ✅ |
GET /api/v1/stats | — | ✅ | ✅ |
POST /api/v1/notify · /notify/batch | — | ✅ | ✅ |
POST /mcp (MCP endpoint) | — | ✅ | ✅ |
MCP list_api_keys / create_api_key / delete_api_key tools | — | — | ✅ |
App creation POST /api/v1/apps | — | — | — (session-only; API keys not allowed) |
App get/delete, key issue/delete/list, stats GET/POST/DELETE /api/v1/apps* (except creation) | — | — | ✅ (or session) |
Key Lifecycle
Section titled “Key Lifecycle”- Plaintext shown only at issuance: The plaintext key is included only in the response right after creation. There is no way to retrieve the plaintext afterward; the server stores only a value hashed with HMAC-SHA256 + pepper, and compares hashes against each other during authentication.
last_used_atupdates: Updated every time authentication succeeds. It is not shown in the dashboard UI, but you can check it with the CLItodoke keys list.- Immediate revocation on deletion: Deleting a key invalidates it immediately. Any application using that key will receive authentication errors (
INVALID_API_KEY). Deleted keys cannot be restored.
Rate Limiting
Section titled “Rate Limiting”Endpoints that use API key authentication have a rate limit of 20 requests / 60 seconds per IP address. Only failed authentication requests are counted; successful requests with a valid key are not counted. When exceeded, a 429 RATE_LIMITED is returned with a Retry-After: 60 header. For details, see Error Codes & Limits.
Issuing Methods
Section titled “Issuing Methods”API keys can be issued in the following three ways.
- Dashboard (the steps at the top of this page)
- CLI:
todoke keys add - MCP: the
create_api_keytool (MCP Server. Calling it requires afull-scope key.)