Skip to main content

API key authentication

Send your developer API key on every authenticated request using either header:
curl https://mcp.echozero.app/api/v1/users/me \
  -H "x-api-key: ez_live_..."
curl https://mcp.echozero.app/api/v1/users/me \
  -H "Authorization: Bearer ez_live_..."
Create and revoke keys in the Dev Portal.

Optional HMAC signing

For server-to-server integrations, you may sign requests with your API secret:
HeaderDescription
x-signatureHMAC-SHA256(secretKey, timestamp + METHOD + path + body)
x-timestampEpoch milliseconds; rejected if drift exceeds 5 minutes
When x-signature is omitted, HMAC verification is skipped.
Detailed signing examples per language will be added in a follow-up update.