Skip to content

Authentication

Staying API uses bearer tokens in the Authorization header. Every API key starts with the prefix sk_ followed by 32 base64url characters.

REST

GET /v1/stays/1135700964697993602 HTTP/1.1
Host: api.stayingapi.com
Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Terminal window
curl https://api.stayingapi.com/v1/stays/1135700964697993602 \
-H "Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"

Managing keys

Issue and revoke keys from the dashboard at /app/keys.

  • Plain-text secrets are shown only once, at creation. Store them in a vault.
  • Revoking a key takes effect within seconds. Active integrations stop working immediately after revoke; we return 401 invalid_key.
  • Each key has a name (your label) and a prefix you can use for searching logs.

MCP / OAuth

For Model Context Protocol clients we also support OAuth 2.1 with PKCE:

Once you complete the OAuth handshake the access token is a long-lived API key, indistinguishable from the ones issued in the dashboard. The MCP server at https://api.stayingapi.com/mcp accepts it in the same Authorization: Bearer header.

Best practices

  • Never ship a secret to a client. Keep keys server-side.
  • Rotate periodically. Revoke and re-create rather than amending.
  • Use one key per environment (dev, staging, production).

Next