Authentication & API Tokens
All requests to the Mojave API must be authenticated.
We support two authentication methods:
Personal API Tokens – For backend scripts, internal tools, and CLI usage.
OAuth 2.0 – For user-facing apps and third-party integrations (see OAuth guide).
This page covers how to authenticate with API tokens. If you're building a more complex integration that requires user consent, head over to the OAuth2 section.
Generating an API Token
You can create API tokens from your Mojave dashboard under Settings → Developer → API Tokens.
API tokens are scoped to your workspace and role. Keep them secure.
Example Request (Using Curl)
Required Header
Header | Value Format | Required |
|---|---|---|
Authorization |
| ✅ |
Content-Type |
| ✅ for POST/PUT |
Token Permissions
Each API token inherits the permissions of the user who generated it. If your token belongs to an admin, it will have full read/write access across projects, users, invoices, and time entries.
⚠️ If a team member’s role changes, the permissions of their token also change.
Best Practices
Keep tokens secret – Never expose them in frontend code or public repos.
Use environment variables – Store tokens as env vars like
MOJAVE_API_TOKEN.Rotate periodically – Revoke and regenerate tokens as part of your security process.
Scope by use – Use different tokens per app or integration for better tracking and revocation.
Token Errors & Troubleshooting
Status Code | Error Type | Meaning |
|---|---|---|
|
| Token is missing, invalid, or expired |
|
| Token is valid, but user lacks required permissions |
|
| Too many requests – wait and try again later |
Example error response:
Test Your Token
This will return:
If successful, your token is working and authenticated correctly.