Authentication — Schedule & Chill Docs

Getting Started

Authentication

Schedule & Chill uses API keys (bearer tokens) to authenticate both the REST API and the MCP server. Every request must include your key in the Authorization header.

Authorization: Bearer YOUR_API_KEY

A request without a valid key returns 401 Unauthorized.

Creating a key

Sign in and open Settings → API Keys.
Click Create Key, give it a name (e.g. Production Server, Claude Desktop).
Copy the token immediately — for security it is shown only once and cannot be retrieved later. If you lose it, revoke the key and create a new one.

You can also manage keys over the REST API itself — see API Keys.

Using the key

Send it on every request to the REST API and the MCP server:

curl https://schedulenchill.com/api/posts \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Accept: application/json"

Token lifetime

Keys do not expire automatically. They remain valid until you revoke them under Settings → API Keys (or via DELETE /api/api-keys/{id}).

Security

Treat keys like passwords. Store them in a secrets manager or environment variables — never in client-side code or version control.
Use a separate key per integration so you can revoke one without affecting others.
Rotate keys periodically by creating a new one and revoking the old.

Scope

A key acts on behalf of the user who created it and can access that user's posts, media, and connected accounts. There are no per-key permission scopes yet.

Quickstart

Core Concepts