Authentication
MonkeyHub uses prefixed API keys for authentication. Every request is scoped to an organization — cross-tenant access is physically impossible at the data layer.
API Key Types
mk_live_Secret Key
Full read + write access. Server-side only.
mk_pub_Public Key
Read-only access. Safe for browsers.
Usage
Pass your API key in the Authorization header. The SDK handles this automatically.
typescript
// SDK — key is injected automatically
const db = new Monkey('mk_live_your_api_key')
// Raw HTTP
fetch('https://api.monkeyhub.io/api/collections/users/items/user_01', {
headers: { 'Authorization': 'Bearer mk_live_your_api_key' },
})Important: Never expose
mk_live_ keys in client-side code (browser, mobile app, public repo). Use mk_pub_ keys for any code that runs in the browser.Permissions
| Operation | mk_live_ (Secret) | mk_pub_ (Public) |
|---|---|---|
| MonkeyDB find / findOne / query | Yes | Yes |
| MonkeyDB save / remove | Yes | No |
| MonkeyTasks run | Yes | No |
| MonkeyTasks get / query | Yes | Yes |
| MonkeyBuckets put (upload) | Yes | No |
| MonkeyBuckets getUrl (public files) | Yes | Yes |
| MonkeyBuckets getUrl (private files) | Yes | No |
| MonkeyBuckets query (list files) | Yes | Yes |
| MonkeyBuckets remove | Yes | No |
Key Management
Create, list, and revoke API keys from the Dashboard or via the management API.
| Action | Endpoint |
|---|---|
| Create key | POST /api/keys |
| List keys (masked) | GET /api/keys |
| Revoke key | DELETE /api/keys/:id |
Warning: Revoking a key is immediate and permanent. Any requests using the revoked key will receive
403 Forbidden.