Skip to main content
Requests are authenticated with two headers:
HeaderValue
AuthorizationBearer mega_<token> — your Personal Access Token (PAT).
x-customer-idThe UUID of the customer the request acts on.
curl https://app.gomega.ai/api/agents/crm/leads \
  -H "Authorization: Bearer mega_1a2b3c...." \
  -H "x-customer-id: 00000000-0000-0000-0000-000000000000"

How to get a key

Keys are issued by MEGA and delivered to you securely — there is no self-serve key portal. To request one, contact your MEGA account manager (or email [email protected]). Each key is:
  • Customer-locked — it only works for the one customer it was issued for. Using it with a different x-customer-id returns 403.
  • Scoped — it carries only the permissions you were granted (see below).
  • Shown once — store it in a secret manager. If it leaks, ask us to rotate it.

Scopes

Endpoints require specific scopes. Your key only carries the scopes you were granted; calling an endpoint your key isn’t scoped for returns 403.
ScopeGrants access to
public_api:leads:readGET /api/agents/crm/leads
public_api:leads:writePOST /api/agents/crm/leads, POST /api/agents/crm/leads/bulk
public_api:webhooks:manageThe /api/agents/crm/lead-webhooks endpoints

Server-to-server only

These are secret-key endpoints. Call them from your backend only. Never expose the token to a browser, mobile app, or any client the end-user controls.

Errors

StatusMeaning
401Missing/invalid token, or missing x-customer-id.
403Key lacks the required scope, or is locked to a different customer.
All errors use the standard error envelope.