Militime API

Authentication

Authenticate with a per-organization API token and scoped permissions.

Every request must include an API key as a bearer token:

Authorization: Bearer mt_live_your_token

Requests without a valid token receive 401 Unauthorized.

Creating a key

Open Settings → Developers in Militime (workspace admins only) and choose Create key. Pick:

  • Name — a label to recognise the key later (e.g. Zapier production).
  • Scopes — the permissions the key grants (see below).
  • Expiry (optional) — a date after which the key stops working.

The plaintext token is shown once at creation and is never stored — copy it immediately. If you lose it, revoke the key and create a new one.

Treat API keys like passwords. They grant access to your organization's data. Never commit them to source control or expose them in client-side code.

Scopes

A key carries a set of scopes; each endpoint requires exactly one. A request whose token lacks the required scope receives 403 with code forbidden_scope.

ScopeGrants
clients:readList and read clients
clients:writeCreate and update clients
projects:readList and read projects
projects:writeCreate and update projects
time_entries:readList and read time entries
time_entries:writeCreate, update and delete time entries
staff:readList team members
teams:readList teams
reports:readRead time report summaries

Verifying a token

Call GET /api/v1/me to confirm a token works and see its organization and scopes:

curl https://app.militime.ai/api/v1/me \
  -H "Authorization: Bearer mt_live_your_token"

Revoking a key

In Settings → Developers, choose Revoke on any key. Revocation takes effect immediately; subsequent requests with that token receive 401 with code token_revoked. Revoked keys remain listed for auditing and keep their history in the request logs.