REST API
Build on the same API the dashboard uses
Every screen in the MacroMkt dashboard, and every tool in the MCP server, is a thin client over this REST surface. Same auth, same scope gates, same data — your scripts and integrations are first-class.
Live spec
Swagger UI
Interactive try-it-out playground. Paste a Bearer token in the top-right Authorize button to call any endpoint.
Redoc
Read-only reference layout — better for skimming the whole surface at once.
OpenAPI 3.1 spec
Source of truth. Feed this to your codegen of choice (openapi-generator, orval, hey-api…).
Authentication
Same Authorization: Bearer … header for both flows. Mint API tokens at Settings → API Tokens.
| Flow | Header value | Used by |
|---|---|---|
| API token | Bearer mk_live_<32hex> | MCP server, scripts, CI |
| JWT | Bearer <jwt> | Dashboard only (NextAuth-internal) |
First call
Validates your token and returns the active user + workspace + scopes:
curl -s https://macromkt.com/api/me \
-H "Authorization: Bearer mk_live_..."Scope model
API tokens carry a fixed scope list. Endpoints check scopes server-side; missing scope → 403 with the missing scope named in the response body.
drafts:read
Read draft posts
drafts:write
Create / update / delete drafts
posts:read
Read published posts
posts:publish
Publish approved posts
monitors:read
List configured monitors
monitors:write
Create / delete monitors
scans:read
Read past scan results
scans:run
Trigger an async scan
credentials:read
List wired-up platform keys
credentials:write
Update / rotate platform keys
history:read
Read findings / events history
members:read
Read workspace members
Conventions
- Pagination. List endpoints accept
?limit=<n>&offset=<m>. Default 50, cap 100. - Errors. FastAPI shape:
{"detail": "<message>"}.401for missing/invalid token,403for missing scope,422for validation. - CORS. Allowlist includes
macromkt.com. Server-to-server callers don't need CORS. - Stability. The OpenAPI spec is the contract. Breaking changes get a new version path; additive changes don't.
Recommended path
Use the MCP server instead of raw REST for LLM-driven work — same auth, fewer round-trips.