Authentication
The API authenticates with secret keys that start with mtb_. Keys belong to a workspace and carry an explicit list of scopes.
https://api.mytabulon.com/v1
Bearer keys
Send your key in the Authorization header on every request. Keys are stored hashed on our side, can expire, and can be revoked instantly from the dashboard.
Authorization: Bearer mtb_live_Aih3...Scopes
Each key carries scopes like clients.read, invoices.write, files.write, or ai.responses. A request that needs a missing scope fails with 403 and code insufficient_scope. Grant the minimum set your integration needs.
Verifying a key
GET
/meany valid keyReturns the workspace, environment, and scopes attached to your key.
{
"object": "api_key.context",
"workspace": { "object": "workspace", "id": "...", "name": "Acme", "currency": "USD" },
"environment": "live",
"scopes": ["clients.read", "invoices.write"]
}Key safety
Never ship keys in browser code or mobile apps. Keep them server-side, rotate them periodically, and create separate keys per integration so one revocation never breaks everything.