Authentication
Every REST request authenticates with an API key sent as a Bearer token. (The public verification endpoints are the one exception — they need no key, because the printed serial is the credential.)
# API keys
Create keys in the app under Settings → API keys. There are two kinds:
| Prefix | Use |
|---|---|
mtq_live_… |
Production — counts against your plan’s quota. |
mtq_test_… |
Testing. |
Keys are shown once at creation — store them somewhere safe. Only a SHA-256 hash is kept server-side, so a lost key can’t be recovered, only revoked and replaced.
# Sending the key
Add an Authorization header to every request:
Authorization: Bearer mtq_live_xxxxxxxxxxxxxxxxxxxxxxxx
curl https://mostlyqr.com/api/v1/links \
-H "Authorization: Bearer mtq_live_…"
A missing, invalid, or revoked key returns 401. Each key is rate-limited per a
fixed window; exceeding it returns 429. See Errors.
# Base URL
https://mostlyqr.com/api
Requests to /api/** are routed to the REST function by a Hosting rewrite. (The raw
function URL https://europe-west2-mostly-qr.cloudfunctions.net/restApi also works.)
# Plan gating
Some endpoints require a paid plan: the REST API and batch are Pro+, and
serialized codes are Enterprise. A request beyond your plan’s
entitlement returns 403/failed-precondition with the limit in the error. See your
plan in Settings.
# Keeping keys safe
- Never ship a key in client-side code or a public repo.
- Rotate by creating a new key and revoking the old one; revocation is immediate.