The CardMind API supports three authentication methods, checked in priority order on every request to /api/*.
Used exclusively by CardMind satellite projects (cardmind-social, cardmind-video, cardmind-pages) to call the API hub without consuming rate-limit quota. If this header is present and matches the server-side secret, all rate limits and tier checks are bypassed.
curl "https://api.cardmind.app/api/signals/recent" \
-H "x-internal-secret: <INTERNAL_API_SECRET>"This method is not available to external developers. The secret is never exposed in responses or logs.
The standard method for external developers. Generate an API key at cardmind.app/settings and pass it as a Bearer token in the Authorization header on every request.
All API keys are prefixed with cm_live_. Never share your key — it grants full access to your account's quota.
curl "https://api.cardmind.app/api/cards/search?q=lightning+bolt" \
-H "Authorization: Bearer cm_live_YOUR_KEY"MCP clients (Claude Desktop, ChatGPT, and compatible agents) authenticate via OAuth2 when connecting to https://api.cardmind.app/mcp. The OAuth2 token is validated server-side and mapped to your CardMind account. This method requires a Premium subscription.
See the MCP Protocol → page for setup instructions for Claude Desktop and ChatGPT.
All authentication failures return a consistent JSON envelope. The code field identifies the error type programmatically.
| Status | Code | Cause |
|---|---|---|
| 401 | UNAUTHORIZED | Missing, invalid, or inactive API key |
| 403 | PREMIUM_REQUIRED | Free-tier key accessing a premium-only endpoint |
| 429 | RATE_LIMITED | Per-minute or monthly quota exceeded |
{
"data": null,
"error": {
"message": "Invalid or missing API key",
"code": "UNAUTHORIZED"
}
}{
"data": null,
"error": {
"message": "MCP Premium required",
"code": "PREMIUM_REQUIRED"
}
}Premium-only endpoints: /api/collection/value, /api/webhooks, /api/ai/analyze.