Authentication
Authenticate with the Loomal API
All API requests require a Bearer token in the Authorization header.
Base URL
https://api.loomal.aiAuthentication
Include your API key in every request:
curl https://api.loomal.ai/v0/messages \
-H "Authorization: Bearer loid-your-api-key"API Key Types
Loomal has two key types. They are deliberately non-overlapping — use the right one for the job.
| Prefix | Name | Acts as or on | Use for |
|---|---|---|---|
loid- | Identity key | Acts as a single identity | Anything the agent does as itself: send/receive mail, vault access, TOTP, calendar, sign/verify |
lopk- | Platform key | Acts on the platform | Manage identities at the org level: create, list, update scopes, rotate keys, delete |
A loid- key cannot manage other identities. A lopk- key cannot send mail, read a vault, or act as any identity. If you need both capabilities, use both keys.
Both formats are {prefix}-{64 hex characters}. Keys are shown only once at creation — store them securely.
Error Responses
Missing Authorization header
{
"error": "unauthorized",
"message": "Missing or invalid Authorization header",
"status": 401
}Invalid API key format
{
"error": "unauthorized",
"message": "Invalid API key format",
"status": 401
}Keys must start with loid- or lopk-. If the format is correct but the key is wrong:
{
"error": "unauthorized",
"message": "Invalid API key",
"status": 401
}Insufficient scope
{
"error": "forbidden",
"message": "Missing required scope: mail:send",
"status": 403
}Rate Limits
API requests are rate-limited per identity. Current limits:
| Limit | Value |
|---|---|
| API requests | 200/minute per identity |
| Auth attempts | 60/minute per IP |
Rate limit headers are included in responses:
X-RateLimit-RemainingX-RateLimit-Reset
When rate limited:
{
"error": "rate_limited",
"message": "Too many requests",
"status": 429
}Platform Keys
Platform keys (lopk-) are created in the console under your organization settings and unlock the /v0/platform/identities endpoints for creating, rotating, and revoking identities programmatically. The same operations are available as MCP tools — see the platform tools reference.