Creating API tokens

Create a personal API token in the Asset Manager and use it against the REST API.

Creating a token

  1. Sign in to the Asset Manager at https://app.footage.one/account.
  2. Open the API Key section.
  3. Click Generate API Key.
  4. Copy the token — it is only shown in full once.

Note: The section is called "API Key" in the UI; in this documentation and the HTTP header we refer to it as "API token". Both terms refer to the same thing.

The token is tied to your user account and has the same permissions as you — treat it like a password.

Using the token

API tokens are used against the REST API at https://app.footage.one/api/asset/.... They are transmitted via the apiKey header (no Bearer prefix):

GET /api/asset/albums HTTP/1.1
Host: app.footage.one
apiKey: <YOUR_API_TOKEN>

curl example:

curl -H "apiKey: YOUR_API_TOKEN" \
  https://app.footage.one/api/asset/albums

Note: The exact auth mechanism at the REST endpoint is currently being standardised (work in progress). The backend currently accepts several auth variants in parallel (apiKey header, Authorization with JWT, userId + apiKey). We recommend the apiKey header for token auth — if your use case also requires a userId header, that is a sign of an internal endpoint.

MCP endpoint (separate — JWT only)

The external MCP server at https://mcp.footage.one/mcp does not accept the apiKey header. It exclusively uses JWT Bearer tokens from the OAuth2 flow:

Authorization: Bearer <jwt_from_oauth_flow>

Bearer auth with the static API token at the MCP endpoint is in progress but not yet available. For headless integrations today: use the REST API directly.

Public vs. token-required (REST)

Not all REST endpoints require auth. Quick overview:

Endpoint pattern Auth
/api/asset/ (Root) Public (Discovery)
/api/asset/configuration/archive Public
/api/asset/public/... Public
All others (/assets, /albums, /search/...) Token required

Public endpoints are ideal for anonymous demos or shared public share links.

Service accounts? (not yet)

Currently there is one API token per user account, with no dedicated service account concept. If you are running a third-party app that maps multi-user access, use OAuth2 with PKCE instead.

Rotating / revoking the token

In the account area you can generate a new token at any time — the old one loses its validity immediately.

Next steps

HATEOASOAuth2