API tokens account required

API tokens let scripts and AI agents manage your diagrams on your behalf. A token authenticates the REST API the same way your browser session does, but without needing a password or cookie.

Create a token

1. Sign in at mmd.studio.
2. Click your avatar in the top-right corner.
3. Choose Settings.
4. Under API tokens, give the token a descriptive name (e.g. my-laptop, ci-pipeline) and click Create token.
5. Copy the token immediately — it's shown exactly once and then replaced with a masked entry. The server only stores a sha256 hash of the token, so if you lose it there's no way to recover it. Just revoke and create a new one.

Tokens look like this:

mmd_UK1D_K-zUVktx25RGmVHQTZBrptm8Ljd51qXo8bMANo

The mmd_ prefix makes them easy to spot in logs and secret scanners.

Use a token

Pass the token as a Bearer token in the Authorization header on every request:

curl -H "Authorization: Bearer $MMD_TOKEN" \
  https://mmd.studio/api/diagrams

We recommend storing it in an environment variable rather than hard-coding it anywhere:

export MMD_TOKEN="mmd_..."

What a token can do

Tokens currently have full read/write access to the owner's diagrams: create, read, update, delete, and flip sharing settings. They cannot:

• Create or revoke other tokens (session-only).
• Change your email or password (session-only).
• Access diagrams owned by anyone else.

Scoped and read-only tokens may land with the Pro plan.

Rate limits

API requests are subject to a daily limit per account:

• Free plan: 10 requests per day across all tokens on your account.
• Pro plan: unlimited requests. See pricing.

Hitting the free limit returns 429 Too Many Requests until the window resets at UTC midnight. A single agent session (read, edit, share a diagram) is typically 2–3 requests, so 10/day is enough to try the agent workflow and confirm it fits your setup. If you want to use agents regularly, upgrading to Pro removes the cap entirely.

Revoke a token

Open Settings → API tokens again and click the trash icon next to any token. Revocation is immediate — any in-flight request using that token will start returning 401 on its next call.

If you think a token is compromised, revoke it and create a new one. There's no cost to rotating tokens.

Security notes

• Tokens are sha256-hashed in the database. A DB leak wouldn't expose usable tokens.
• Tokens travel in the Authorization header over HTTPS — they are not CSRF-vulnerable because CSRF relies on cookies.
• Never commit tokens to git. If you do by accident, revoke them immediately from settings and push a new commit with the value removed.
• There's no rate limiting on tokens today, but that may change. Don't hammer the API.

Next

• REST API reference — full endpoint documentation.
• Agent integration — using tokens with Claude Code, Cursor, and other agents.