Maito customer API requests authenticate with an API key.
API keys are server-side secrets. Do not expose them in browser JavaScript, static websites, public repositories, logs, or mobile app bundles.
Create An API Key
- Open Maito and go to Settings.
- Open API Keys in the Developer section.
- Click Create.
- Give the key a clear name, such as
Production, Docs website, or Internal tool.
- Choose an expiration policy.
- Click Create key.
- Copy the key immediately. Maito shows the secret only once.
- Store the key in a secret manager or server-side environment variable.
API keys are shown only when they are created. If you lose a key, revoke it and create a new one.
Use The Key
Send the API key as a Bearer token in the Authorization header.
Authorization: Bearer <token>
curl "https://api.getmaito.com/v1/newsletter/subscribers" \
-H "Authorization: Bearer $MAITO_API_KEY" \
-H "Accept: application/json"
Server-Side Usage
Store API keys outside source control:
MAITO_API_KEY="your_api_key"
Rotate Or Revoke A Key
If a key is exposed or no longer needed:
- Open Settings.
- Open API Keys.
- Revoke the old key.
- Create a replacement key if the integration still needs access.
Update every integration that used the old key.
Authentication Errors
Requests without a valid API key return an error response.
{
"ok": false,
"error": {
"code": "UNAUTHORIZED",
"message": "Authentication required."
}
}
401 as an authentication failure and ask for a new or corrected API key.
API keys can only call supported customer API endpoints. If a valid key calls an app-only or internal route, Maito returns 403. 
