Bearer keys
Every /api/v1/* call accepts a Bearer token, a Supabase session cookie, or both. Bearer keys live forever (until you revoke them), have no expiry, and never appear in our logs.
Issue a key
Free or Pro — both can mint keys. Visit Settings → Developer and click Generate key. The full secret is shown once. Store it somewhere durable.
Format: qk_<prefix>_<secret> — the prefix is visible in the dashboard so you can identify keys without re-displaying the secret.
Plans & rate limits
Every authenticated request counts against a per-user limit. The response carries Retry-After on 429 plus retry_after in the JSON body.
| Plan | Per minute | Per day | AI / voice / webhooks |
|---|---|---|---|
| free | 60 | 1,000 | 402 pro_required |
| pro | 300 | 10,000 | included |
Pro-only routes: POST /capture with organize: true, POST /items/{id}/organize, POST /voice/transcribe, POST /webhooks. Everything else (capture without AI, search, bulk, project create, PATCH, toggle, archive, delete, tags, list) works on free.
Send the key
curl https://quik.md/api/v1/me \
-H "Authorization: Bearer qk_..."Connect flow (installed agents)
For desktop or mobile clients you ship to other users, don’t ask them to paste a key. Use the connect flow: open the user’s browser, get them to approve, receive the token via a deep link.
/api/v1/connect/startUnauthed. Body: { state, label }. Returns 204.
/api/v1/connect/exchangeUnauthed. Body: { state }. Returns the Bearer key once approved.
Full flow: see the agent prompts.
Revoke
From Settings → Developer. Revocation is immediate.
