API authentication
MimicBot has two API surfaces with different auth requirements.
Agency-scoped endpoints (/api/*)
Every endpoint under /api/* requires a Bearer token scoped to your agency. This includes bot management, crawl triggers, pages, sources, actions, submissions, and billing.
Generating a token
- Open the MimicBot dashboard.
- Navigate to Settings → API tokens.
- Click New token, give it a name, and copy the generated value.
Tokens are agency-scoped — every request authenticated with a given token is scoped to that token's agency. You cannot use one agency's token to operate another agency's bots.
Sending the token
All authenticated requests include the token as a Bearer credential in the Authorization header:
curl https://api.mimicbot.app/api/bots \
-H "Authorization: Bearer $MIMICBOT_TOKEN"
Replace $MIMICBOT_TOKEN with the value from the dashboard. On Unix shells, export MIMICBOT_TOKEN=sk_... once per session.
The server rejects any request to /api/* that is missing the Authorization: Bearer header or that supplies an empty token value.
Public endpoints (/v1/public/*)
The widget talks to the server over /v1/public/* endpoints that are CORS-unrestricted and require no authentication. A visitor is identified by a botPublicId + per-browser visitorId pair — both travel in the request body. There is no token involved.
Public endpoints are always rate-limited (see Rate limits). Agency-scoped endpoints are also rate-limited but at higher thresholds.
Errors
Unauthenticated requests to /api/* return 401 Unauthorized with error code UNAUTHENTICATED. Invalid, expired, or malformed tokens return the same code. A token whose profile is not attached to an agency returns 403 Forbidden with error code NO_AGENCY. See Errors for the full error shape.