Manager Toolkit logo

API Tokens

Generate, rotate, and revoke API keys for automated workflows and machine-to-machine integrations.

Last updated April 2026
Pro
API key creation is a Pro feature. Free accounts can view this page but the Generate button is disabled until you upgrade.

API tokens give you programmatic access to your Manager Toolkit data. Use them in CI/CD pipelines, scheduled scripts, dashboards, or any server-side workflow that needs to read or write your Actions, Catchups, Targets, and other entities without going through the web app.

Creating a Key

Go to Profile > Tools and find the API Keys section.
Click Create Key and give it a memorable name (e.g. "CI Pipeline" or "Weekly Digest Script").
Pick an expiry: 1 month, 3 months, or 6 months. The default is 3 months.
Copy the generated key immediately. We hash and store it server-side, so this is the only time you will ever see it. If you lose it, revoke the key and generate a new one.

Account Limits

Each Manager Toolkit account can have up to three live API keys at a time. If you hit the limit, delete an existing key (or wait for one to expire) before creating a new one.

Using a Key

Pass the key as a Bearer token in the Authorization header on any API request:

GET /api/actions HTTP/1.1
Host: api.manager-toolkit.com
Authorization: Bearer mt_your_key_here

The same header is accepted by your MCP client when you point it at the API. See MCP Connector for the OAuth-driven alternative, which is the recommended path for interactive AI assistants.

Rotation

Keys do not auto-renew. When a key is approaching its expiry, generate a replacement key with the same scope, update your integration to use the new key, and revoke the old one. Two keys can coexist during the handover so you never break a live automation.

Revoking

You can revoke a key at any time from Profile > Tools. Revoked keys stop working immediately on the next request, since the API checks the hash against the live key list on every call.

Name your keys per integration, not per environment. If a key leaks, you only have to rotate the one job that uses it instead of every script that shares a generic name like "default".
Treat API keys like passwords. Don't commit them to source control, don't paste them into chat, and prefer your secret manager / CI vault over hardcoding. We hash keys at rest, so if a backup ever leaks the key cannot be recovered from it.

Was this article helpful?