Skip to main content
Postsiva supports JWT (web/mobile app) and workspace API keys (automation and MCP). This page covers API keys — what you need for REST and MCP integrations.

Workspace API key format

Keys are prefixed with psk_live_ and tied to a single workspace.
psk_live_<random_secret>
Create keys in Settings → API Keys or POST /workspaces/{workspace_id}/api-keys (JWT only).

REST headers

curl "https://backend.postsiva.com/unified/posts" \
  -H "X-API-Key: psk_live_YOUR_KEY"
Alternative: Authorization: Bearer psk_live_YOUR_KEY (same behavior).

Optional workspace header

With an API key, X-Workspace-Id is optional — the workspace comes from the key. If you send it, it must match the key’s workspace or you get 403. With JWT login, X-Workspace-Id is required for workspace-scoped routes.

MCP authentication

Unified MCP accepts the same key via:
  • Header: X-API-Key: psk_live_…
  • Query: https://mcp.postsiva.com/mcp?apikey=psk_live_…
Invalid or missing keys return an in-band tool error (not a separate auth endpoint).

API key scopes

Set scope when creating a key:
ScopeAccess
linkedin_onlyDefault — LinkedIn OAuth and posting only
linkedin_postsRead-only: GET /unified/posts only
linkedin,instagramComma-separated platform allowlist for OAuth
fullAll platforms the workspace supports
OAuth routes enforce scope — a linkedin_only key cannot connect Instagram.

Plan requirements

FeaturePlan
Create API keysPro (api_keys_enabled)
Unified MCPPro (mcp_enabled)
GPT ActionsPro (gpt_app_enabled)
Blocked requests return a plan upgrade message.

Security best practices

  • Never commit keys to git or expose them in client-side code
  • Use scoped keys for integrations (e.g. read-only linkedin_posts for analytics dashboards)
  • Revoke unused keys in Settings → API Keys
  • Rotate keys if leaked

Errors

StatusMeaning
401Missing or invalid key
403Scope restriction or workspace mismatch
402 / plan messageFeature not on current plan
See Errors overview.