Context RepoContext Repo Docs
API Reference

Authentication

Authenticate API requests using a Bearer JWT session token or an API key from your Context Repo dashboard.

Every API request requires an Authorization header. Context Repo supports two authentication methods: Bearer JWT for session-based access and API-Key for programmatic integrations.

Bearer JWT

Use a session JWT token when making requests on behalf of a signed-in user. This is the same token your browser uses when you're logged into the dashboard.

Header format:

Authorization: Bearer <session_jwt_token>

The token must be a valid, non-expired session token issued by your signed-in dashboard session. Browser-based integrations built on top of Context Repo retrieve this token from their existing authenticated session — refer to your auth provider's documentation for the exact retrieval call.

Bearer tokens have full access to all resources owned by the authenticated user — they aren't restricted by permission scopes.

Bearer JWT authentication is primarily for browser-based, signed-in usage. For scripts, CLI tools, MCP clients, and server-to-server integrations, use an API key — it's simpler to set up and longer-lived.

API Key

API keys provide scoped, long-lived access for external tools, scripts, and integrations like the Chrome Extension and MCP clients.

Header format:

Authorization: API-Key <your_api_key>

The header name API-Key is case-sensitive. API keys generated by the dashboard have the shape gm_<publicId>_<secret> — for example:

Authorization: API-Key gm_aB3cD4eF5gH6_xK9mN2pQ7rS5tU8vW1yZ3aB6cD9eF2gH5jK7

Getting an API Key

  1. Open the Context Repo dashboard
  2. Go to Settings > API Keys
  3. Click New API Key
  4. Give it a name and select the permission scopes you need
  5. Click Create and copy the key immediately — it's only shown once

For a detailed walkthrough of key creation, viewing, and revoking, see the Settings page.

Permission Scopes

API keys are scoped per resource and per access kind. Four scopes are available:

ScopeLabelWhat It Allows
prompts.readPrompts — ReadList, read, search, and inspect prompt versions
prompts.writePrompts — WriteCreate, update, delete, and restore prompt versions. Implies prompts.read.
documents.readDocuments & Collections — ReadList, read, deep-search, and export documents and collections
documents.writeDocuments & Collections — WriteCreate, update, delete, restore versions, scrape URLs, and manage collection memberships. Implies documents.read.

When you create a key in the dashboard, you pick None / Read / Write per resource — there is one selector for Prompts and another for Documents & Collections. Selecting "Write" automatically grants the matching read access, so you don't need to select both.

If your API key doesn't have the required scope for an endpoint, the API returns a 403 Forbidden error. Make sure you've assigned the right scopes for your use case.

Scope Requirements by Endpoint

Read methods (GET) require the matching .read scope; write methods (POST/PATCH/DELETE/restore) require the matching .write scope (which already includes .read).

Endpoint GroupRead methodsWrite methods
Prompts (/v1/prompts/*)prompts.readprompts.write
Documents (/v1/documents/*)documents.readdocuments.write
Document scraping (POST /v1/documents/scrape)documents.write
Collections (/v1/collections/*)documents.readdocuments.write
Search (GET /v1/search)At least one of prompts.read or documents.read
Progressive Disclosure (/v1/pd/*)documents.read
User profile (GET /v1/user/me)Any authenticated request
MCP Capabilities (GET /v1/mcp/capabilities)None — public, unauthenticated

Choosing an Auth Method

Use CaseRecommended Method
Browser-based integrationsBearer JWT
Chrome ExtensionAPI Key with documents.write (needed to save scraped pages)
MCP clients (Cursor, Claude Desktop, etc.)API Key with the scopes matching the MCP tools you'll use — for full read + write access, grant prompts.write and documents.write
CI/CD pipelines and scriptsAPI Key with the minimum scopes needed
Custom applicationsAPI Key for server-to-server, Bearer JWT for user-facing

Error Responses

Authentication failures return one of two status codes:

StatusMeaning
401 UnauthorizedMissing or invalid Authorization header — the token or key couldn't be verified
403 ForbiddenValid authentication, but the API key doesn't have the required permission scope
{
  "error": {
    "code": 401,
    "message": "Invalid authentication"
  }
}

Settings

Create, view, and revoke API keys from your dashboard.

Endpoints

Full REST endpoint reference with authentication requirements.

MCP Server

Connect AI assistants using MCP — uses API key authentication.

API Reference

Programmatic access to your prompts, documents, and collections through Context Repo's REST API.

Endpoints

Complete REST endpoint reference for prompts, documents, collections, search, and progressive disclosure.

On this page

Bearer JWTAPI KeyGetting an API KeyPermission ScopesScope Requirements by EndpointChoosing an Auth MethodError ResponsesRelated Pages