Authentication
The Munera REST API uses API key authentication for programmatic access. API keys are scoped to your organisation and respect the same RBAC permissions as your user account.
Creating an API key
- 1Navigate to Settings → API Keys → Create Key
- 2Give the key a descriptive name (e.g.
ci-pipeline,dashboard-integration) - 3Set an expiration date — maximum 1 year from today
- 4Click Create and copy the key immediately — it is shown only once
🔑
Copy immediately!
The full API key value is displayed only at creation time. Munera stores only an Argon2 hash of the key. If you lose the key, you must revoke it and create a new one.
Making authenticated requests
Pass your API key in the X-API-Key header on every request:
GET /api/v1/tasks HTTP/1.1 Host: munera.cloud X-API-Key: mk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Content-Type: application/json
Base URL
# Cloud https://munera.cloud/api/v1 # Self-hosted https://your-domain.com/api/v1
Rate limits
| Tier | Requests / minute | Requests / hour |
|---|---|---|
| Standard | 60 | 1,000 |
| Professional | 120 | 3,000 |
| Enterprise | Custom | Custom |
Rate limit headers are returned on every response:
X-RateLimit-Limit: 60 X-RateLimit-Remaining: 55 X-RateLimit-Reset: 1740000000
Response format
All responses are JSON. Successful responses have a 2xx status code. Errors follow a consistent format:
{
"error": "not_found",
"message": "Task with id 999 does not exist",
"request_id": "req_01abc..."
}Error codes
| HTTP status | Error code | Meaning |
|---|---|---|
| 400 | validation_error | Request body failed validation |
| 401 | unauthorized | Missing or invalid API key |
| 403 | forbidden | API key lacks permission for this action |
| 404 | not_found | Resource does not exist |
| 409 | conflict | State conflict (e.g. assigning a completed task) |
| 429 | rate_limited | Too many requests — back off and retry |
| 500 | internal_error | Unexpected server error |
Managing API keys
From Settings → API Keys you can view all keys (the prefix only), their creation date, last-used timestamp, and expiration date. You can revoke any key at any time. Revocation takes effect immediately.
Each user account can hold up to 10 active API keys. The key prefix (first 8 characters) is visible in the admin view for audit purposes.