Authentication
Staying API uses bearer tokens in the Authorization header. Every API key
starts with the prefix sk_ followed by 32 base64url characters.
REST
GET /v1/stays/1135700964697993602 HTTP/1.1Host: api.stayingapi.comAuthorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxcurl https://api.stayingapi.com/v1/stays/1135700964697993602 \ -H "Authorization: Bearer sk_live_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"Managing keys
Issue and revoke keys from the dashboard at /app/keys.
- Plain-text secrets are shown only once, at creation. Store them in a vault.
- Revoking a key takes effect within seconds. Active integrations stop working
immediately after revoke; we return
401 invalid_key. - Each key has a name (your label) and a prefix you can use for searching logs.
MCP / OAuth
For Model Context Protocol clients we also support OAuth 2.1 with PKCE:
- Authorization endpoint:
https://api.stayingapi.com/oauth/authorize - Token endpoint:
https://api.stayingapi.com/oauth/token - Scope:
mcp:access - Discovery: /.well-known/oauth-authorization-server
Once you complete the OAuth handshake the access token is a long-lived API key,
indistinguishable from the ones issued in the dashboard. The MCP server at
https://api.stayingapi.com/mcp accepts it in the same Authorization: Bearer
header.
Best practices
- Never ship a secret to a client. Keep keys server-side.
- Rotate periodically. Revoke and re-create rather than amending.
- Use one key per environment (
dev,staging,production).