API
Authentication
Authenticate REST and MCP requests with workspace API keys.
The REST API and MCP server use the same Bearer token authentication.
Both are served from https://app.citlyze.com.
Header
Authorization: Bearer aeo_live_...Workspace scope
Each key grants read access to exactly one workspace. It cannot read another workspace and cannot write data.
Plan gating
API exports must be included in the workspace plan. If exports are not available, requests return:
{
"error": "API access is not included in this workspace's plan. Upgrade to a plan with API exports.",
"code": "plan_capability_required"
}Rate limits
The default per-key rate limit is 120 requests per minute. Rate-limited
responses include a Retry-After header.
Revocation
Revoked keys stop working immediately. Create a new key for each external tool so access can be revoked independently.