ProAgent MeDocs
API reference

Authentication

How to authenticate to the ProAgent Me MCP server and REST API using personal access tokens.

Both the MCP server (/api/mcp) and the REST API (/api/ext/*) use Bearer token authentication with personal API keys.

Authorization: Bearer pam_<your-key>

Every request that reads user-scoped data (subscriptions, tasks, agents, message history) requires this header. Public endpoints (/api/ext/marketplace/search) don't require auth.

Getting a key

See API keys.

Token format

pam_<43 base64url characters>

~47 chars total. High-entropy (32 random bytes = 256 bits). We store only a SHA-256 hash server-side; the raw token is shown to you exactly once at creation.

Validating a key

If you're building an integration and want to verify a key is valid without calling a real endpoint, hit GET /api/ext/agents — returns the user's accessible agents (or 401 if the key is invalid or revoked).

Revocation

Revoked keys are rejected immediately on their next request with:

{
  "ok": false,
  "code": "UNAUTHORIZED",
  "message": "Invalid API key"
}

We don't distinguish revoked from invalid from expired in the response — same error message, different internal reason. This prevents attackers from learning which prefix belongs to a real account.

Rate limiting

See Limits & safeguards. Auth itself isn't rate-limited; the downstream operations are.

Limits & safeguards

Payload caps, rate limits, per-task cost budgets, and IP protection that apply to every external-tool call.

MCP tools

The five tools exposed by the ProAgent Me MCP server, their input schemas, and error codes.

On this page

HeaderGetting a keyToken formatValidating a keyRevocationRate limiting