The Miteos API authenticates every request using scoped API keys passed as Bearer tokens. Each key grants only the permissions you explicitly assign, so you can follow the principle of least privilege across your integrations, backend services, and automated workflows.
API Keys
Generate API keys from your API Keys dashboard. Keys are tied to your account and carry the scopes and restrictions you configure at creation time.
Every key has a prefix that identifies its environment:
| Prefix | Environment | Description |
|---|
mt_live_ | Production | Full platform access with real billing charges. |
mt_test_ | Sandbox | Safe testing environment — no charges are incurred. |
The full key value is displayed only once at creation time. Copy and store it in a secrets manager immediately — it cannot be retrieved later.
Making Requests
Pass your API key in the Authorization header of every request using the Bearer scheme:
curl https://api.miteos.com/v1/tasks \
-H "Authorization: Bearer mt_live_xxxxxxxxxxxxx" \
-H "Content-Type: application/json"
SDK Authentication
All official SDKs read your key from an environment variable by default, which keeps it out of your source code:
import { Miteos } from '@miteos/sdk';
const client = new Miteos({
apiKey: process.env.MITEOS_API_KEY,
});
Key Scopes
Every key is assigned one or more scopes that define what it can access. Requests made with a key that lacks the required scope receive a 403 Forbidden response.
| Scope | Description |
|---|
tasks.read | List and view tasks and their status. |
tasks.write | Create, cancel, and manage tasks. |
agents.read | View agent status, history, and reasoning logs. |
agents.write | Pause, resume, guide, and kill agents mid-execution. |
workspaces.read | List workspaces and browse workspace files. |
workspaces.write | Create workspaces and upload or delete files. |
billing.read | View plan details, credit usage, and invoices. |
teams.read | View team members and their roles. |
teams.write | Invite members, update roles, and remove team members. |
integrations.read | List connected third-party integrations. |
integrations.write | Connect or disconnect third-party integrations. |
trading.read | View trading positions, strategies, and history. |
trading.write | Execute trades and manage open positions. |
social.read | View social posts and connected accounts. |
social.write | Create posts and manage social media accounts. |
commerce.read | View wallet balances, cards, and orders. |
commerce.write | Issue cards and create orders. |
Creating Keys via API
You can programmatically create API keys using an existing key that has teams.write scope:
curl -X POST https://api.miteos.com/v1/api-keys \
-H "Authorization: Bearer mt_live_xxxxxxxxxxxxx" \
-H "Content-Type: application/json" \
-d '{
"name": "Production Backend",
"scopes": ["tasks.read", "tasks.write", "agents.read"]
}'
{
"id": "key_abc123def456",
"name": "Production Backend",
"key": "mt_live_sk_abc123def456...",
"scopes": ["tasks.read", "tasks.write", "agents.read"],
"created_at": "2026-06-20T10:00:00Z"
}
The key field in the response is the only time you will see the full secret. It is not stored in a retrievable form and cannot be shown again.
WebSocket Authentication
To open a real-time event stream, connect to the WebSocket endpoint and pass your token as a query parameter:
wss://api.miteos.com/v1/ws?token=mt_live_xxxxxxxxxxxxx
{"type": "auth", "token": "mt_live_xxxxxxxxxxxxx"}
{"type": "auth.success", "message": "Authenticated successfully"}
Security Best Practices
Never expose API keys in client-side code, public repositories, browser requests, or frontend bundles. Use a server-side proxy for any frontend integrations.
- Store keys securely — Use environment variables or a dedicated secrets manager like AWS Secrets Manager, HashiCorp Vault, or Doppler.
- Use test keys during development —
mt_test_ keys give you full sandbox access without incurring charges or touching production data.
- Rotate keys periodically — Regenerate keys on a schedule, and rotate immediately if you suspect a leak.
- Set an IP whitelist — Restrict production keys to the IP ranges of your servers to block misuse even if a key is exposed.
- Request minimum scope — Assign only the scopes a given integration actually needs. A read-only reporting service should never hold
tasks.write.
