MDDoc
Docs

Authentication

API keys, bearer tokens, and access tiers.

Overview

MDDoc uses API keys for programmatic access. Every request to the public API must include a valid key in the Authorization header.

No OAuth flows, no token refresh, no complexity. One key, one header.

Generating API keys

From the MDDoc dashboard:

  1. Go to Settings → API Keys
  2. Click Generate New Key
  3. Give it a descriptive name (e.g. "CI Pipeline", "Claude MCP")
  4. Copy the key immediately — it's only shown once
POST /api/settings/api-keys
// Request
{ "name": "CI Pipeline" }

// Response
{
  "id": "key_abc123",
  "name": "CI Pipeline",
  "key": "mddoc_clmvMFXmPUJ6xK9TqR8nW...",
  "key_prefix": "mddoc_clmv",
  "created_at": "2026-02-25T10:00:00Z"
}

Keys always start with mddoc_. The full key is only returned at creation time. After that, only the prefix is visible in your dashboard.

Using your API key

Include the key as a Bearer token in the Authorization header of every request:

bash
curl https://api.mddoc.app/api/v1/templates \
  -H "Authorization: Bearer mddoc_YOUR_KEY"

That's it. No additional headers, no session management.

Access by plan

Not every plan gets API access. Here's what each tier includes:

FeatureSoloTeamEnterprise
Public API /api/v1/*YesYes
MCP server accessYesYesYes
Conversions per month20UnlimitedUnlimited
Templates5UnlimitedUnlimited
SharePoint exportYesYes

MCP is available on all plans. Even Solo users can connect MDDoc to Claude Desktop or Claude Code via the MCP server. The public REST API requires Team or higher.

Revoking keys

If a key is compromised, revoke it immediately from Settings → API Keys. Revoked keys return a 401 on every subsequent request. Generate a new key and update your integration.

You can have multiple active keys. Use separate keys for different environments (dev, staging, production) so you can revoke one without disrupting the others.

Authentication errors

When authentication fails, the API returns a structured error:

StatusCodeMeaning
401missing_api_keyNo Authorization header sent
401invalid_api_keyKey is invalid, revoked, or not a mddoc_ key
403api_access_deniedYour plan doesn't include API access (Solo plan)
Example error response
{
  "error": {
    "code": "invalid_api_key",
    "message": "The API key provided is invalid or has been revoked."
  }
}

Security notes

  • Keys are SHA-256 hashed before storage. We never store the raw key.
  • All API traffic must use HTTPS.
  • Never commit keys to version control. Use environment variables or a secrets manager.
  • Each key records a last_used_at timestamp — check for unauthorized usage in your dashboard.

Next

Now that you're authenticated, explore the full API reference to see every endpoint, parameter, and response format.

Quick StartConversion API