API Keys
All API requests require an API key passed in the Authorization header:
Authorization: Bearer mk_<64 hex characters>
Creating an API Key
- Go to Settings > API in the Mokaru app
- Click Create API key
- Give it a name (e.g. “Claude Desktop”) and select permissions
- Copy the key immediately - it’s only shown once
API keys require a Plus plan. You can have 1 active key per account. Revoke the existing key to create a new one.
Scopes
Each API key has scopes that control what it can access:
| Scope | Description |
|---|
jobs:search | Search job listings |
tracker:read | Read your applications |
tracker:write | Create and update applications |
profile:read | Read your career profile |
403 Forbidden.
Rate Limits
Rate limits are per account (not per key) using a sliding window:
| Endpoint | Limit |
|---|
POST /v1/jobs/search | 30 requests/min |
POST /v1/tracker/applications | 20 requests/min |
PATCH /v1/tracker/applications/:id | 20 requests/min |
GET /v1/tracker/applications | 60 requests/min |
GET /v1/profile | 30 requests/min |
X-RateLimit-Limit: 30
X-RateLimit-Remaining: 29
X-RateLimit-Reset: 1710504000000
Retry-After header (in seconds).
Error Responses
| Status | Meaning |
|---|
400 | Bad request - missing or invalid fields |
401 | Missing, invalid, expired, or revoked API key |
403 | API key lacks required scope |
429 | Rate limit exceeded |
500 | Internal server error |
{
"error": "Invalid or expired API key"
}
Security
- Keys are SHA-256 hashed before storage - plain keys are never stored
- 256-bit entropy (32 random bytes) - cryptographically secure
- Keys can be revoked instantly from Settings
- Standalone auth - not tied to your browser session, designed for machine-to-machine access
