Skip to main content

API Keys

All API requests require an API key passed in the Authorization header: 
Authorization: Bearer mk_<64 hex characters>

Creating an API Key

  1. Go to Settings > API in the Mokaru app
  2. Click Create API key
  3. Give it a name (e.g. “Claude Desktop”) and select permissions
  4. Copy the key immediately - it’s only shown once
API keys require a Plus plan. You can have 1 active key per account. Revoke the existing key to create a new one.

Scopes

Each API key has scopes that control what it can access:
ScopeDescription
jobs:searchSearch job listings
tracker:readRead your applications
tracker:writeCreate and update applications
profile:readRead your career profile
profile:writeUpdate your career profile
contacts:readRead your contacts
contacts:writeCreate, update, and delete contacts
experiences:readRead your work experiences
experiences:writeCreate, update, and delete work experiences
education:readRead your education
education:writeCreate, update, and delete education
skills:readRead your skills
skills:writeCreate, update, and delete skills
resume:readList and read resumes
resume:writeCreate, update, and delete resumes
resume:exportExport resumes as PDF
If a request requires a scope the key doesn’t have, the API returns 403 Forbidden.

Rate Limits

Rate limits are per account (not per key) using a sliding window:
EndpointLimit
POST /v1/jobs/search30 requests/min
POST /v1/tracker/applications20 requests/min
PATCH /v1/tracker/applications/:id20 requests/min
GET /v1/tracker/applications60 requests/min
GET /v1/profile30 requests/min
PATCH /v1/profile20 requests/min
GET /v1/contacts60 requests/min
GET /v1/contacts/:id30 requests/min
POST /v1/contacts20 requests/min
PATCH /v1/contacts/:id20 requests/min
DELETE /v1/contacts/:id10 requests/min
GET /v1/experiences60 requests/min
GET /v1/experiences/:id30 requests/min
POST /v1/experiences20 requests/min
PATCH /v1/experiences/:id20 requests/min
DELETE /v1/experiences/:id10 requests/min
GET /v1/education60 requests/min
GET /v1/education/:id30 requests/min
POST /v1/education20 requests/min
PATCH /v1/education/:id20 requests/min
DELETE /v1/education/:id10 requests/min
GET /v1/skills60 requests/min
GET /v1/skills/:id30 requests/min
POST /v1/skills20 requests/min
PATCH /v1/skills/:id20 requests/min
DELETE /v1/skills/:id10 requests/min
DELETE /v1/tracker/applications/:id10 requests/min
GET /v1/resume60 requests/min
GET /v1/resume/:id30 requests/min
POST /v1/resume10 requests/min
PATCH /v1/resume/:id20 requests/min
DELETE /v1/resume/:id10 requests/min
POST /v1/resume/:id/export/pdf5 requests/min
Every response includes rate limit headers: 
X-RateLimit-Limit: 30
X-RateLimit-Remaining: 29
X-RateLimit-Reset: 1710504000000
When rate limited, the response includes a Retry-After header (in seconds).

Error Responses

StatusMeaning
400Bad request - missing or invalid fields
401Missing, invalid, expired, or revoked API key
403API key lacks required scope
429Rate limit exceeded
500Internal server error
All errors return JSON: 
{
  "error": "Invalid or expired API key"
}

Security

  • Keys are SHA-256 hashed before storage - plain keys are never stored
  • 256-bit entropy (32 random bytes) - cryptographically secure
  • Keys can be revoked instantly from Settings
  • Standalone auth - not tied to your browser session, designed for machine-to-machine access