Authentication
The Open API uses API keys (prefixed mono_) to authenticate requests. All requests must include a valid key in the Authorization header and be made over HTTPS. Keys are shown only once when created, so keep them secure and never share them in public repositories or client-side code.
curl https://customer.monotree.com/api/open/v1/walls \
-H "Authorization: Bearer mono_your_token_here" \
-H "Content-Type: application/json"Scopes
Each token has scoped permissions — for example, read:posts allows reading posts while write:posts allows creating, updating, and deleting them. A request that requires a scope you don't have returns 403 Forbidden.
| Scope | Capability |
|---|---|
read:posts, write:posts | Read or create/update/delete posts |
read:comments, write:comments | Read or create/update/delete comments |
write:media | Upload media files |
read:announcements, write:announcements | Read or create/update/delete announcements |
read:events, write:events | Read or create/update/delete events |
read:calendar_entries, write:calendar_entries | Read or create/update/delete calendar entries |
read:users | List users |
read:groups | List groups |
read:walls | List walls |
read:stats | Read aggregated statistics |
Authorship
When creating a token, you choose who content is attributed to. Select Myself to have posts and announcements appear under your name, or System user to attribute them to the platform. This cannot be changed after the token is created.
IP restrictions
You can optionally restrict a token to a specific IP address. If set, requests from any other IP will be rejected with a 403 error. Useful for server-to-server integrations with a static egress IP.
Expiration
Tokens may have an expiration date. Expired tokens return 401 Unauthorized.