Authentication
The MirrorMingo Exam API uses API keys sent as bearer tokens.
Authorization: Bearer mirrormingo_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key format
Keys look like mirrormingo_ followed by 48 hex characters. They are generated
server-side and hashed with SHA-256 before storage — MirrorMingo never keeps
the plaintext, which is why a key is shown only once at creation.
Managing keys
From Account → Developer, or via the management API (which is authenticated with your normal logged-in session, not an API key):
| Action | Endpoint |
|---|---|
| Create | POST /v1/developer/keys → returns the plaintext key once |
| List | GET /v1/developer/keys → returns redacted prefixes + last-used |
| Revoke | DELETE /v1/developer/keys/{key_prefix} |
Security best practices
- Server-side only. Never embed a key in a web page, mobile binary or public repo. For browser/mobile apps, proxy requests through your own backend.
- One key per environment/service. Separate
prod,stagingand per-service keys so you can revoke narrowly. Thelast_used_attimestamp helps spot stale keys. - Rotate on exposure. Create the new key, deploy it, then revoke the old one — revocation is immediate.
- Use the sandbox for tests. Sandbox keys (
sandbox.api.mirrormingo.com) are non-billable and isolated from production data.
Errors
A missing, malformed or revoked key returns 401:
{ "error": "unauthorized", "detail": "Invalid API key" }