Authentication

The PlanMySaaS API authenticates requests with API keys. A key is a long random string issued from your workspace — it inherits your workspace's plan, credits, and feature gates.

Generating a key

  1. Go to Settings → API Keys.
  2. Click Generate key. Name it so you can recognise it later (e.g. “Claude Desktop — MacBook”).
  3. The raw key is shown once. Copy it immediately — we only store a SHA-256 hash, so we can't recover it later.

Key format

pms_live_<32 hex chars>
# example: pms_live_a1b2c3d4e5f6789abcdef0123456789f

The pms_live_ prefix makes leaks easy to identify — you can grep your Git history, log archives, or CI build logs for it.

Passing the key

The API accepts the key via either header — pick whichever fits your client:

# X-API-Key header (preferred — cleaner server logs)
X-API-Key: pms_live_…

# OR Authorization: Bearer (standard OAuth-style)
Authorization: Bearer pms_live_…

Example

curl -X POST https://www.planmysaas.com/api/v1/mcp/credits \
  -H "X-API-Key: pms_live_…"

TypeScript / Node

const res = await fetch("https://www.planmysaas.com/api/v1/mcp/generate/research", {
  method: "POST",
  headers: {
    "X-API-Key": process.env.PLANMYSAAS_API_KEY!,
    "Content-Type": "application/json",
  },
  body: JSON.stringify({ idea: "Quiet-hours SMS scheduler for solo founders" }),
})
const { data, meta } = await res.json()

Python

import os, requests
r = requests.post(
  "https://www.planmysaas.com/api/v1/mcp/generate/research",
  headers={
    "X-API-Key": os.environ["PLANMYSAAS_API_KEY"],
    "Content-Type": "application/json",
  },
  json={"idea": "Quiet-hours SMS scheduler for solo founders"},
  timeout=120,
)
r.raise_for_status()
data = r.json()["data"]

Scopes

Every key has a scope. Today we support:

  • full — can call every endpoint, deducts credits normally (default)
  • readonly — can call GET /credits and future read-only endpoints only; generation endpoints reject with 403

Rotation

There's no built-in rotation schedule — rotate at your own pace. The pattern we recommend:

  1. Generate a new key in Settings → API Keys.
  2. Deploy the new key to your MCP config / env var.
  3. Revoke the old key. Both keys are active during the overlap window so you never lose service.

Revoking a key

Click Revoke on any key in Settings. Revocation is immediate — every request using that key starts returning 401 revoked_api_key on the next call. You can always generate a fresh key to replace it; revoked keys can't be reactivated.

Storing keys safely

  • Use env vars. Never commit keys to git. .env files should be in .gitignore.
  • Least privilege. If a script only needs to read credits, create a readonly-scoped key for it.
  • One key per client. Separate keys for Claude Desktop, Cursor, CI, etc. Makes rotation + revocation surgical.
  • Watch the usage. If you see anomalous spikes or errors on the API Keys page, revoke and rotate.

Errors

Authentication failures return 401 with one of:

  • missing_api_key — no key in either header
  • malformed_api_key — doesn't match the pms_live_… shape
  • invalid_api_key — key hash not found (never existed or mistyped)
  • revoked_api_key — key was revoked

See error codes for the full list.