Skip to main content
All Mufi API requests are authenticated using Bearer tokens. Your API key acts as a JWT-signed token that identifies your project and permission level.

Getting Your API Key

1

Sign in to the Mufi Dashboard

Go to my.mufi.app and authenticate with your email via magic link.
2

Select or create a project

Each project has its own users, events, products, and API keys.
3

Generate an API key

Navigate to the API Keys section and generate a new key. You’ll receive a JWT token to use in your API requests.
Don’t have an account? Email connect@mufi.app to request access.

Using Your API Key

Include your API key as a Bearer token in the Authorization header of every request: 
Authorization: Bearer YOUR_API_KEY

curl -H "Authorization: Bearer $MUFI_API_KEY" \
  https://api.mufi.app/v1/version

Permission Levels

Each API key has one of two permission levels:
PermissionWhat it allows
WriteFull access — create and modify users, events, products, and all resources
ReadQuery-only — fetch users, list events, check balances, view products
Calling a write-only endpoint with a read-only key returns 403 Forbidden.

Key Management

BehaviorDetail
ExpirationAPI keys do not expire automatically — they remain valid until revoked
RegenerationYou can regenerate a key at any time from the Dashboard. The old key is immediately invalidated
Multiple keysGenerate separate keys for different environments (staging, production) or services

Security Checklist

Store API keys in environment variables, never in source code
Use keys only on the server side — never expose them in frontend code
Use read-only keys when you only need to query data
Regenerate keys immediately if you suspect they’ve been compromised
Use separate keys for staging and production environments
If your API key is compromised, regenerate it immediately from the Mufi Dashboard or email connect@mufi.app for emergency revocation.