Authentication
How to authenticate with the Xobni.ai API and MCP server.
Bearer Token
All API requests require authentication via an API key sent as a Bearer token in the Authorization header.
HTTP Header
Authorization: Bearer YOUR_API_KEYAPI keys are prefixed with xobni_ and are cryptographically random. They are stored as SHA-256 hashes — the raw key is shown only at creation time.
Key Scoping
Each API key is scoped to a single agent. The key can only access that agent's emails, threads, attachments, and webhooks. Parameters like account_id and agent_id are auto-resolved from the key — no need to pass them.
What scoped keys can do
- Read, send, search, and manage emails for their agent
- Create and manage webhooks for their agent
- View agent info and storage usage
What scoped keys cannot do
- Access other agents' data (returns 403)
- Create or delete agents
- Manage API keys
- Access billing or subscription settings
Managing Keys
Create and manage API keys in Settings → API Keys. Select which agent the key is scoped to when creating it.