Workspace API key format
Keys are prefixed withpsk_live_ and tied to a single workspace.
POST /workspaces/{workspace_id}/api-keys (JWT only).
REST headers
Authorization: Bearer psk_live_YOUR_KEY (same behavior).
Optional workspace header
With an API key,X-Workspace-Id is optional — the workspace comes from the key. If you send it, it must match the key’s workspace or you get 403.
With JWT login, X-Workspace-Id is required for workspace-scoped routes.
MCP authentication
Unified MCP accepts the same key via:- Header:
X-API-Key: psk_live_… - Query:
https://mcp.postsiva.com/mcp?apikey=psk_live_…
API key scopes
Setscope when creating a key:
| Scope | Access |
|---|---|
linkedin_only | Default — LinkedIn OAuth and posting only |
linkedin_posts | Read-only: GET /unified/posts only |
linkedin,instagram | Comma-separated platform allowlist for OAuth |
full | All platforms the workspace supports |
linkedin_only key cannot connect Instagram.
Plan requirements
| Feature | Plan |
|---|---|
| Create API keys | Pro (api_keys_enabled) |
| Unified MCP | Pro (mcp_enabled) |
| GPT Actions | Pro (gpt_app_enabled) |
Security best practices
- Never commit keys to git or expose them in client-side code
- Use scoped keys for integrations (e.g. read-only
linkedin_postsfor analytics dashboards) - Revoke unused keys in Settings → API Keys
- Rotate keys if leaked
Errors
| Status | Meaning |
|---|---|
401 | Missing or invalid key |
403 | Scope restriction or workspace mismatch |
402 / plan message | Feature not on current plan |