API keys let you authenticate programmatic requests to the Mavio API. Use them to build custom integrations, automate workflows, and connect Mavio data with your own tools and systems.

Creating an API key

1

Open developer settings

Navigate to Settings > Developer > API Keys.
2

Click Create Key

Click Create API Key and provide:
  • Name — a descriptive label (e.g., “CRM Sync”, “Analytics Pipeline”)
  • Scopes — the permissions this key should have (see scopes below)
  • Expiration — optional expiration date (recommended for security)
3

Copy the key

Your API key is displayed once. Copy it immediately and store it securely. You cannot retrieve the full key again after closing this dialog.
4

Start using the key

Include the key in your API requests using the Authorization header:
Authorization: Bearer mavio_sk_your_api_key_here
Treat API keys like passwords. Never commit them to source control, expose them in client-side code, or share them in plain text. Use environment variables or a secrets manager.

Key scopes

Each API key can be restricted to specific scopes, limiting what the key can access:
ScopeAccess
meetings:readList and retrieve meetings, transcripts, and summaries
meetings:writeCreate, update, and delete meetings
recordings:readDownload recording audio files
transcripts:readRetrieve transcript content
transcripts:writeEdit transcript content and speaker labels
notes:readRead meeting notes and minutes
notes:writeCreate and edit notes and minutes
action-items:readList action items
action-items:writeCreate, update, and complete action items
channels:readList channels and their meetings
channels:writeCreate channels, add meetings, manage members
speakers:readList speaker profiles
speakers:writeCreate and manage speaker profiles
team:readRead team membership and settings
webhooks:manageCreate and manage webhook endpoints
Follow the principle of least privilege. Grant only the scopes your integration actually needs. You can always create a new key with broader permissions later.

Rate limits

API requests are rate-limited based on your plan:
PlanRate limit
Free60 requests per minute
Pro300 requests per minute
Team1,000 requests per minute
EnterpriseCustom (contact sales)
Rate limit headers are included in every API response: 
X-RateLimit-Limit: 300
X-RateLimit-Remaining: 287
X-RateLimit-Reset: 1713100800
When the rate limit is exceeded, the API returns a 429 Too Many Requests response. Retry after the time indicated in the X-RateLimit-Reset header.

Managing keys

Viewing existing keys

Go to Settings > Developer > API Keys to see all active keys. The list shows:
  • Key name and partial key value (last 4 characters)
  • Scopes assigned
  • Creation date and expiration date
  • Last used timestamp

Rotating keys

To rotate a key without downtime:
  1. Create a new key with the same scopes.
  2. Update your integration to use the new key.
  3. Verify the integration works with the new key.
  4. Revoke the old key.

Revoking keys

Click the three-dot menu on any key and select Revoke. The key stops working immediately. This action cannot be undone.

Usage monitoring

Track how each API key is being used from Settings > Developer > API Keys > [Key] > Usage:
  • Request count — total API calls over time
  • Endpoint breakdown — which API endpoints are called most
  • Error rate — percentage of requests returning errors
  • Last used — the most recent successful request

Security best practices

Store API keys in environment variables (MAVIO_API_KEY) rather than hardcoding them. All major hosting platforms and CI/CD systems support environment variable management.
Always set an expiration date on API keys. Rotate keys on a regular schedule (e.g., every 90 days) to limit the blast radius of a compromised key.
Create a dedicated API key for each integration or service. This lets you revoke access for one integration without affecting others.
Review API key usage regularly. Unexpected spikes in request volume or requests to unusual endpoints may indicate a compromised key.
Enterprise plans support IP allowlists for API keys. Restrict each key to the IP addresses of the servers that use it.