Bearer token authentication

All API requests require a valid API key passed in the Authorization header as a Bearer token. 
curl https://api.mavioapp.com/v1/meetings \
  -H "Authorization: Bearer mvo_live_abc123"
API keys are prefixed to help you identify them:
PrefixEnvironmentUsage
mvo_live_ProductionLive data, production integrations
mvo_test_SandboxTest data, safe for development
Never expose your API keys in client-side code, public repositories, or browser requests. Always make API calls from your server.

Generating API keys

1

Open your dashboard

Navigate to mavioapp.com/settings/api and sign in.
2

Create a new key

Click Create API Key, give it a descriptive name (e.g., “Slack integration”), and select the scopes you need.
3

Copy your key

Your key is displayed once. Copy it and store it securely. You cannot retrieve it again after closing the dialog.
You can create up to 25 API keys per account. Keys can be revoked at any time from the same settings page.

Scopes

API keys can be scoped to limit access. When creating a key, select only the scopes your integration requires.
ScopeDescription
meetings:readList and retrieve meetings
meetings:writeDelete meetings
transcripts:readRetrieve and search transcripts
summaries:readRetrieve summaries
summaries:writeRegenerate summaries
action_items:readList action items
action_items:writeUpdate action item status, assignee, due date
webhooks:readList webhook subscriptions
webhooks:writeCreate, update, and delete webhook subscriptions
Use the principle of least privilege. A read-only dashboard integration only needs meetings:read, transcripts:read, and summaries:read.

OAuth 2.0

For applications that act on behalf of Mavio users (e.g., third-party integrations), use the OAuth 2.0 Authorization Code flow.

1. Register your application

Register your app at mavioapp.com/settings/oauth-apps to receive a client_id and client_secret.

2. Redirect the user to authorize

https://mavioapp.com/oauth/authorize?
  client_id=YOUR_CLIENT_ID&
  redirect_uri=https://yourapp.com/callback&
  response_type=code&
  scope=meetings:read transcripts:read&
  state=random_csrf_token
client_id
string
required
Your OAuth application’s client ID.
redirect_uri
string
required
The URL to redirect back to after authorization. Must match a registered redirect URI.
response_type
string
required
Must be code.
scope
string
required
Space-separated list of scopes to request.
state
string
required
A random string to prevent CSRF attacks. Verify this value when the user is redirected back.

3. Exchange the authorization code for tokens

After the user authorizes your app, they are redirected to your redirect_uri with a code parameter. Exchange it for an access token: 
curl -X POST https://api.mavioapp.com/v1/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "authorization_code",
    "code": "AUTH_CODE_HERE",
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET",
    "redirect_uri": "https://yourapp.com/callback"
  }'

{
  "access_token": "mvo_oauth_abc123def456",
  "token_type": "bearer",
  "expires_in": 3600,
  "refresh_token": "mvo_refresh_xyz789",
  "scope": "meetings:read transcripts:read"
}

4. Refresh the access token

Access tokens expire after 1 hour. Use the refresh token to obtain a new one: 
curl -X POST https://api.mavioapp.com/v1/oauth/token \
  -H "Content-Type: application/json" \
  -d '{
    "grant_type": "refresh_token",
    "refresh_token": "mvo_refresh_xyz789",
    "client_id": "YOUR_CLIENT_ID",
    "client_secret": "YOUR_CLIENT_SECRET"
  }'
Refresh tokens are valid for 30 days and are single-use. Each refresh response includes a new refresh token.

Security best practices

  • Store API keys and tokens in environment variables or a secrets manager, never in source code.
  • Rotate API keys periodically and immediately if you suspect a leak.
  • Use scoped keys with the minimum permissions required.
  • For OAuth, always validate the state parameter to prevent CSRF attacks.
  • Monitor your API usage on the dashboard for unexpected activity.