Authentication
Authenticate with a per-organization API token and scoped permissions.
Every request must include an API key as a bearer token:
Authorization: Bearer mt_live_your_tokenRequests without a valid token receive 401 Unauthorized.
Creating a key
Open Settings → Developers in Militime (workspace admins only) and choose Create key. Pick:
- Name — a label to recognise the key later (e.g.
Zapier production). - Scopes — the permissions the key grants (see below).
- Expiry (optional) — a date after which the key stops working.
The plaintext token is shown once at creation and is never stored — copy it immediately. If you lose it, revoke the key and create a new one.
Treat API keys like passwords. They grant access to your organization's data. Never commit them to source control or expose them in client-side code.
Scopes
A key carries a set of scopes; each endpoint requires exactly one. A request
whose token lacks the required scope receives 403 with code
forbidden_scope.
| Scope | Grants |
|---|---|
clients:read | List and read clients |
clients:write | Create and update clients |
projects:read | List and read projects |
projects:write | Create and update projects |
time_entries:read | List and read time entries |
time_entries:write | Create, update and delete time entries |
staff:read | List team members |
teams:read | List teams |
reports:read | Read time report summaries |
Verifying a token
Call GET /api/v1/me to confirm a token works and see its organization and
scopes:
curl https://app.militime.ai/api/v1/me \
-H "Authorization: Bearer mt_live_your_token"Revoking a key
In Settings → Developers, choose Revoke on any key. Revocation takes
effect immediately; subsequent requests with that token receive 401 with code
token_revoked. Revoked keys remain listed for auditing and keep their history
in the request logs.